Security Magic

Hello World. I have looked at a few interesting samples earlier this month that appear to fall into the same realm as many of the EvilAI PDF converters which have been reported last year.  The difference in this one is that instead of being inno packed, or an electron app, or a .NET application like some of the variations observed so far, this one is a python compiled application. The initial application observed was " PDFly ", which, after some pivoting on other information led to the discovery  Ziply , as well as PDFClick , and Rapidoc . These findings were shared on my X post as well. The challenge with these is that I am unable to use pyinstxtractor/pyinstxtractor-ng, there seems to be some level of customized pyinstaller magic here that I just don't know enough about. What I do know is that when running these applications they do drop an AppData\Local\Temp\_MEIXXXX directory, common with PyInstaller, and there is an embedded resource zip file with another EXE of th...

Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go compiled binaries, which are dropped in C:\WIndows\SysWOW64\hero.  upHero.exe appears to "upStage" hero...

In another YAPA investigation, I began by "hunting" around keywords using Google's ad transparency, and came across supremepdfapp[.]com . I went the website and downloaded the sample, now found on VirusTotal . As pointed out to me by MalasadaTech , this advertiser is based in Hong Kong, while the "company signer" is an Israel based company that is only a few days old at the time of this writing. While pivoting around on various strings, and the icon hash, I noticed that other related samples actually flagged under my powerdocapp hardcoded XOR key YARA rule . Some examples of previous variants under the old YARA rule include: PowerDoc.exe  and NotAWord.ex e. This time however, the hard-coded XOR key has been changed (this change is now reflected in my YARA rule).  Observed Obfuscated Strings string text = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\" + TManager.BS(new int[] { 99, 104, 114, 111, 109, 101, 46, 101, 120, 101 }); *tra...

Earlier this week, while analyzing yet another "free PDF converter" called PrimePDFConvert , I quickly observed behavior that is very similar to PDFSupernova , a browser hijacking malware I wrote about earlier this month. There are a few key differences in this variant however, most notable is a daily scheduled task, that runs c:\programdata\primepdfconvert.exe that "checks in", and can act as a malicious .NET loader. The installer displays a clean, modern UI with a loading spinner, progress bars, and a lengthy EULA referencing “browser extensions” and “added search capabilities.” At first glance, it looks like a run-of-the-mill PUP (potentially unwanted program). But underneath the surface? It's a modular, remotely controlled malware loader with daily persistence, browser hijacking capabilities, and a Roslyn-powered remote code execution API. Red Flags Packed by Costura.Fody Full screen focus during install Writes daily persistence (programdata exe that ru...

I've seen a lot of chatter on X about ConvertMate.exe So I took another look at it today. What it is This is another file conversion application. It is a .Net application that as the installer drops files into AppData\Local\ConvertMate and creates a scheduled task called ConvertMateTask. The files it unpacks and drops include a smaller file named Convert Mate.exe (with a space), and id.txt (unique identifier), some supporting dlls, an uninstaller.exe, and UpdateRetreiver.exe . Red Flags Contains reverse strings and simple obfuscation launces a PS1 file to create the scheduled task Uninstaller and Add/Remove Programs only removes desktop icon and reg key.  UpdateRetreiver checks in daily and if domain returns response it AES decrypts the response Interesting strings in ConvertMate installer this.logicManager.SendPixel("https://banifuri[.]com/pixel"); string text = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\)68x( seliF margorP\\:C"); string t...

PDF Goes Super Nova! Analyzing PDFSupernova  has been interesting, this is, at the time of this writing, a fully undetected browser hijacker. There also appears to be some information stealing/gathering capabilities. When I first looked at this last week, I set it aside since I was already looking at SystemShock Loader . This sample had some glaring red flags, at first glance I thought it was most likely a PUP  . Red Flags  A ~50MB file really results in what looks to be just a desktop shortcut to a pdf conversion website.  The "installer" takes focus of the screen, not allowing the user to interact with other tools or the desktop. YAPA (Yet Another PDF APP), I'll work on that acronym. Strings show what appears to be .NET code in parts of the file, but do not load as .NET in dnspy or decompress .NET binaries using 7Zip. A recent sandbox run shows a lot of interesting indicators Finds chrome.exe and pe...