Security Magic

Earlier this week, while analyzing yet another "free PDF converter" called PrimePDFConvert , I quickly observed behavior that is very similar to PDFSupernova , a browser hijacking malware I wrote about earlier this month. There are a few key differences in this variant however, most notable is a daily scheduled task, that runs c:\programdata\primepdfconvert.exe that "checks in", and can act as a malicious .NET loader. The installer displays a clean, modern UI with a loading spinner, progress bars, and a lengthy EULA referencing “browser extensions” and “added search capabilities.” At first glance, it looks like a run-of-the-mill PUP (potentially unwanted program). But underneath the surface? It's a modular, remotely controlled malware loader with daily persistence, browser hijacking capabilities, and a Roslyn-powered remote code execution API. Red Flags Packed by Costura.Fody Full screen focus during install Writes daily persistence (programdata exe that ru...

I've seen a lot of chatter on X about ConvertMate.exe So I took another look at it today. What it is This is another file conversion application. It is a .Net application that as the installer drops files into AppData\Local\ConvertMate and creates a scheduled task called ConvertMateTask. The files it unpacks and drops include a smaller file named Convert Mate.exe (with a space), and id.txt (unique identifier), some supporting dlls, an uninstaller.exe, and UpdateRetreiver.exe . Red Flags Contains reverse strings and simple obfuscation launces a PS1 file to create the scheduled task Uninstaller and Add/Remove Programs only removes desktop icon and reg key.  UpdateRetreiver checks in daily and if domain returns response it AES decrypts the response Interesting strings in ConvertMate installer this.logicManager.SendPixel("https://banifuri[.]com/pixel"); string text = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\)68x( seliF margorP\\:C"); string t...

PDF Goes Super Nova! Analyzing PDFSupernova  has been interesting, this is, at the time of this writing, a fully undetected browser hijacker. There also appears to be some information stealing/gathering capabilities. When I first looked at this last week, I set it aside since I was already looking at SystemShock Loader . This sample had some glaring red flags, at first glance I thought it was most likely a PUP  . Red Flags  A ~50MB file really results in what looks to be just a desktop shortcut to a pdf conversion website.  The "installer" takes focus of the screen, not allowing the user to interact with other tools or the desktop. YAPA (Yet Another PDF APP), I'll work on that acronym. Strings show what appears to be .NET code in parts of the file, but do not load as .NET in dnspy or decompress .NET binaries using 7Zip. A recent sandbox run shows a lot of interesting indicators Finds chrome.exe and pe...