Security Magic

In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is Zapdf , which can be found on zappdfapp[.]com. This site was also document on Northwave Cyber Security , and Nextron 's websites, both of which host numerous IOCs for similar applications. The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications. Analysis: app.any.run sandbox run  shows initial telemetry traffic POST, as well as the download of an updater binary.  Some interesting notes on this when running on a test VM. The initial application is a .NET staging application, it extracts the "benign" Zapdf.exe (also a .NET application), but not before sending some telemetry, fingerprinting the system, creating persistence, and downloading the suspicious ZapUpdater.exe .  This initial .NET loader looks very similar to other YAPAs observed in the past. Slight obfus...

GalacticPDF is another PDF reader/converter application I ran across that has the look and feel of EvilAI and YAPA programs I've observed over the past year. Many of these programs have websites that have a similar look and feel to the image below: Certificate Signer: As with many of these programs, there is a valid certificate signer "MONKEY DIGITAL LTD". These do tend to have interesting names. Also, as far as I can tell, this one has only been used with GalacticPDF. Google Ads: One place I've started looking with these is in Google's Ad Transparency to see if it looks a little off, or maybe to pivot to other programs being advertised by the same advertiser. GalacticPDF is adverstied by " Kiruguard Ltd ". This doesn't tell me much, but it does give me some visuals that again, look very similar to other EvilAI campaigns. Analysis: Honestly, at first this one had me a bit perplexed. It's a rust based program, which is something I don't have ...

Hello World. I have looked at a few interesting samples earlier this month that appear to fall into the same realm as many of the EvilAI PDF converters which have been reported last year.  The difference in this one is that instead of being inno packed, or an electron app, or a .NET application like some of the variations observed so far, this one is a python compiled application. The initial application observed was " PDFly ", which, after some pivoting on other information led to the discovery  Ziply , as well as PDFClick , and Rapidoc . These findings were shared on my X post as well. The challenge with these is that I am unable to use pyinstxtractor/pyinstxtractor-ng, there seems to be some level of customized pyinstaller magic here that I just don't know enough about. What I do know is that when running these applications they do drop an AppData\Local\Temp\_MEIXXXX directory, common with PyInstaller, and there is an embedded resource zip file with another EXE of th...

Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go compiled binaries, which are dropped in C:\WIndows\SysWOW64\hero.  upHero.exe appears to "upStage" hero...

In another YAPA investigation, I began by "hunting" around keywords using Google's ad transparency, and came across supremepdfapp[.]com . I went the website and downloaded the sample, now found on VirusTotal . As pointed out to me by MalasadaTech , this advertiser is based in Hong Kong, while the "company signer" is an Israel based company that is only a few days old at the time of this writing. While pivoting around on various strings, and the icon hash, I noticed that other related samples actually flagged under my powerdocapp hardcoded XOR key YARA rule . Some examples of previous variants under the old YARA rule include: PowerDoc.exe  and NotAWord.ex e. This time however, the hard-coded XOR key has been changed (this change is now reflected in my YARA rule).  Observed Obfuscated Strings string text = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\" + TManager.BS(new int[] { 99, 104, 114, 111, 109, 101, 46, 101, 120, 101 }); *tra...

Earlier this week, while analyzing yet another "free PDF converter" called PrimePDFConvert , I quickly observed behavior that is very similar to PDFSupernova , a browser hijacking malware I wrote about earlier this month. There are a few key differences in this variant however, most notable is a daily scheduled task, that runs c:\programdata\primepdfconvert.exe that "checks in", and can act as a malicious .NET loader. The installer displays a clean, modern UI with a loading spinner, progress bars, and a lengthy EULA referencing “browser extensions” and “added search capabilities.” At first glance, it looks like a run-of-the-mill PUP (potentially unwanted program). But underneath the surface? It's a modular, remotely controlled malware loader with daily persistence, browser hijacking capabilities, and a Roslyn-powered remote code execution API. Red Flags Packed by Costura.Fody Full screen focus during install Writes daily persistence (programdata exe that ru...