Sunday, March 23, 2025

FBI warnings are true—fake file converters do push malware | Bleeping Computer March 23, 2025 10:09 AM

If you use an online file converter or downloader, be sure to analyze any resulting file from the site, as if they are an executable or JavaScript, they are most definitely malicious.The FBI says that cybercriminals are creating websites that promote free document converts, download tools, or file merging tools.
"To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file," continued the FBI
"It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool."

FBI warnings are true—fake file converters do push malware

By Lawrence Abrams March 23, 2025 10:09 AM

FBI fighting cybercrime

The FBI is warning that fake online document converters are being used to steal peoples’ information and, in worst-case scenarios, to deploy ransomware on victims' devices.

The warning came last week from the FBI Denver field office, after receiving an increasing number of reports about these types of tools.

"The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter tools, and we want to encourage victims to report instances of this scam," reads the warning.

 

While the online tools work as advertised, the FBI says the resulting file may also contain hidden malware that can be used to gain remote access to the infected device.

The FBI also says that the uploaded documents can also be scraped for sensitive information, such as names, social security numbers, cryptocurrency seeds, passphrases, wallet addresses, email addresses, passwords, and banking information.

The FBI Denver field office told BleepingComputer that people are reporting these scams to IC3.gov, with one public sector entity reporting the scam in metro Denver in the last three weeks.

"The scammers try to mimic URLs that are legit – so changing just one letter, or 'INC' instead of 'CO'," Vikki Migoya, the Public Affairs Office for FBI Denver, told BleepingComputer.

 “Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams.”

While the FBI told BleepingComputer they could not share any further technical details as it would let the scammers know what is working, threat actors have been known to utilize these tools to deploy malware.

Online converters lead to malware

Some have questioned whether these free document converters can lead to malware and ransomware attacks, and the answer is yes.

Last week, cybersecurity researcher Will Thomas shared some sites that claimed to be online document converters, such as docu-flex[.]com and pdfixers[.]com.

While these sites are no longer available, they distributed Windows executables named Pdfixers.exe [VirusTotal] and DocuFlex.exe [VirusTotal], which are both detected as malware.

A cybersecurity researcher known for tracking the Gootloader infection also reported in November about a Google advertising campaign that promoted fake file converter sites. These sites pretended to convert your files but instead caused you to download the Gootloader malware.

"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip," explained the researcher.

"But after passing certain checks—being from an English-speaking country and not having visited in the past 24 hours on the same class C subnet—users instead receive a .JS file inside the .zip rather than a genuine .DOCX."

This JavaScript file is Gootloader, a malware loader known for downloading additional malware, such as banking trojans, infostealers, malware downloaders, and post-exploitation tools, like Cobalt Strike beacons.

Using these additional payloads, the threat actors breach corporate networks and spread laterally to other computers. Attacks like these have led to full-blown ransomware attacks in the past, such as those by REvil and BlackSuit.

While not all file converters are malware, it’s essential to research them before using and check reviews before downloading any programs.

If a site is relatively unknown, it is better to avoid it altogether.

LATEST ARTICLES

  • Cloudflare
    Security

    Cloudflare now blocks all unencrypted traffic to its API endpoints

    Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com.

  • Microsoft
    Security

    Microsoft Trust Signing service abused to code-sign malware

    Cybercriminals are abusing Microsoft's Trusted Signing platform to code-sign malware executables with short-lived three-day certificates.

  • Coinbase
    Security

    Coinbase was primary target of recent GitHub Actions breaches

    Researchers have determined that Coinbase was the primary target in a recent GitHub Actions cascading supply chain attack that compromised secrets in hundreds of repositories.

  • Oracle
    Security

    Oracle denies breach after hacker claims theft of 6 million data records

    Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers


  • Google
    Security, Google

    Fake Semrush ads used to steal SEO professionals’ Google accounts

    A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.

  • Exchange Online
    Microsoft, Security

    Microsoft: Exchange Online bug mistakenly quarantines user emails

    Microsoft is investigating an Exchange Online bug causing anti-spam systems to mistakenly quarantine some users' emails.

  • Tornado Cash
    Security, CryptoCurrency

    US removes sanctions against Tornado Cash crypto mixer

    The U.S. Department of Treasury announced today that it has removed sanctions against the Tornado Cash cryptocurrency mixer, which North Korean Lazarus hackers used to launder hundreds of millions stolen in multiple crypto heists.

  • Steam
    Security, Gaming

    Steam pulls game demo infecting Windows with info-stealing malware

    Valve has removed a game titled 'Sniper: Phantom's Resolution' from the Steam store following multiple user reports that indicated its demo installer actually infected their systems with information stealing malware.

  • CISA
    Security

    CISA tags NAKIVO backup flaw as actively exploited in attacks

    CISA has warned U.S. federal agencies to secure their networks against attacks exploiting a high-severity vulnerability in NAKIVO's Backup & Replication software.

  • VSCode
    Security

    VSCode extensions found downloading early-stage ransomware

    Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process.

  • Cisco
    Security

    Critical Cisco Smart Licensing Utility flaws now exploited in attacks

    Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account.




    • at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)