Security Magic

In another YAPA investigation, I began by "hunting" around keywords using Google's ad transparency, and came across supremepdfapp[.]com . I went the website and downloaded the sample, now found on VirusTotal . As pointed out to me by MalasadaTech , this advertiser is based in Hong Kong, while the "company signer" is an Israel based company that is only a few days old at the time of this writing. While pivoting around on various strings, and the icon hash, I noticed that other related samples actually flagged under my powerdocapp hardcoded XOR key YARA rule . Some examples of previous variants under the old YARA rule include: PowerDoc.exe  and NotAWord.ex e. This time however, the hard-coded XOR key has been changed (this change is now reflected in my YARA rule).  Observed Obfuscated Strings string text = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\" + TManager.BS(new int[] { 99, 104, 114, 111, 109, 101, 46, 101, 120, 101 }); *tra...

Earlier this week, while analyzing yet another "free PDF converter" called PrimePDFConvert , I quickly observed behavior that is very similar to PDFSupernova , a browser hijacking malware I wrote about earlier this month. There are a few key differences in this variant however, most notable is a daily scheduled task, that runs c:\programdata\primepdfconvert.exe that "checks in", and can act as a malicious .NET loader. The installer displays a clean, modern UI with a loading spinner, progress bars, and a lengthy EULA referencing “browser extensions” and “added search capabilities.” At first glance, it looks like a run-of-the-mill PUP (potentially unwanted program). But underneath the surface? It's a modular, remotely controlled malware loader with daily persistence, browser hijacking capabilities, and a Roslyn-powered remote code execution API. Red Flags Packed by Costura.Fody Full screen focus during install Writes daily persistence (programdata exe that ru...

I've seen a lot of chatter on X about ConvertMate.exe So I took another look at it today. What it is This is another file conversion application. It is a .Net application that as the installer drops files into AppData\Local\ConvertMate and creates a scheduled task called ConvertMateTask. The files it unpacks and drops include a smaller file named Convert Mate.exe (with a space), and id.txt (unique identifier), some supporting dlls, an uninstaller.exe, and UpdateRetreiver.exe . Red Flags Contains reverse strings and simple obfuscation launces a PS1 file to create the scheduled task Uninstaller and Add/Remove Programs only removes desktop icon and reg key.  UpdateRetreiver checks in daily and if domain returns response it AES decrypts the response Interesting strings in ConvertMate installer this.logicManager.SendPixel("https://banifuri[.]com/pixel"); string text = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\)68x( seliF margorP\\:C"); string t...

PDF Goes Super Nova! Analyzing PDFSupernova  has been interesting, this is, at the time of this writing, a fully undetected browser hijacker. There also appears to be some information stealing/gathering capabilities. When I first looked at this last week, I set it aside since I was already looking at SystemShock Loader . This sample had some glaring red flags, at first glance I thought it was most likely a PUP  . Red Flags  A ~50MB file really results in what looks to be just a desktop shortcut to a pdf conversion website.  The "installer" takes focus of the screen, not allowing the user to interact with other tools or the desktop. YAPA (Yet Another PDF APP), I'll work on that acronym. Strings show what appears to be .NET code in parts of the file, but do not load as .NET in dnspy or decompress .NET binaries using 7Zip. A recent sandbox run shows a lot of interesting indicators Finds chrome.exe and pe...

TL;DR “SystemShock is a malicious DLL loaded by Electron Apps masquarading as production tools. The DLL performs anti-analysis and anti-vm checks and then attempts to download or run additional code. The file also sends data that is likely stealing information and sending screenshots. More about the specifics of the Electron Apps found can be read on Malware Analysis: Fake Google Meet Application .” Background:  Earlier in the week I ran across some fake video conferencing applications, these gave the user the impression that they were installers for tools such as MS Teams, Google Meet, and Zoom. However, none of these were signed by their respective organizations.  A review of the applications showed a complex and layered approach to hide a DLL that performs anti-analysis and anti-VM checks. The DLL also acts as a downloader for additional malware, AMSI bypass tools, and even appears to send out some recon data in t...

TL;DR “Fake Google Meet installer unpacks an Electron app that performs anti-analysis checks and downloads follow-on stealer/downloader payloads (not signed by Google). Check out more information on SystemShock Loader .”  While hunting suspicious Electron applications in VirusTotal, I came across  Google_Meet 1.2.1.exe , which isn't signed by Google. The application is instead signed by " Gucheng County Sili Technology Co., Ltd .", a now revoked certificate signer.  However, VirusTotal has, at the time of this writing, 0 detections for this. So how bad can it be? This is an NSIS installer executable, meaning I can extract the files with 7Zip. Inside the $PLUGINSDIR, is an app-64.7z file, in recent EvilAI and TamperedChef campaigns this usually means this is an Electron based application that is extracted. Quick Note on EvilAI I want to pause right here and suggest that "EvilAI" is more of a campaig...

TL;DR elevate.exe is an open-source UAC helper commonly bundled with Windows installers and Electron builds — usually legitimate, but sometimes recompiled/signed and abused by threat actors (observed in recent EvilAI, TamperedChef, and BaoLoader campaigns). I was reading through an article by TRUESEC , and one thing that struck myself and my peers was the elevate.exe file that exists in the samples that were analyzed. I mentioned to my peer that I see this file in many electron apps I've analyzed this year. We kicked around the idea of how to build detection for this, but we needed to understand what it is. Firstly, as pointed out by TRUESEC, elevate.exe is a tool by Johannes Passing, found on the github repo . The tool can be shipped/packaged with windows executables which, on their own do not elevate privileges, this helper will invoke UAC to elevate privileges of the designated application. Initially, after readin...