Supremepdfapp: Malware that's not so supreme

In another YAPA investigation, I began by "hunting" around keywords using Google's ad transparency, and came across supremepdfapp[.]com. I went the website and downloaded the sample, now found on VirusTotal.


While pivoting around on various strings, and the icon hash, I noticed that this actually flagged under my powerdocapp hardcoded XOR key YARA rule

This time however, the hard-coded XOR key has been changed (this change is now reflected in my YARA rule). 

Observed Obfuscated Strings


string text = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\" + TManager.BS(new int[] { 99, 104, 114, 111, 109, 101, 46, 101, 120, 101 });
*translates to chrome.exe
string text4 = TManager.BS(new int[] { 71, 111, 111, 103, 108, 101 });
*Google
string text5 = TManager.BS(new int[] { 67, 104, 114, 111, 109, 101 });
*Chrome
string text6 = TManager.BS(new int[] { 99, 104, 114, 111, 109, 101, 46, 101, 120, 101 });
*chrome.exe
string text3 = "U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb24=";
*SOFTWARE\Microsoft\Windows NT\CurrentVersion
string text = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==";
' *Software\Microsoft\Windows\CurrentVersion\Uninstall\
new string[] { "exe.", "emorhc", "\\shtaP ppA", "\\noisreVtnerruC", "\\swodniW", "\\tfosorciM", "\\ERAWTFOS" },
*"SOFTWARE\\" ,"Microsoft\\" ,"Windows\\" ,"CurrentVersion\\" ,"App Paths\\" ,"chrome" ,".exe
new string[] { "exe.", "emorhc", "\\shtaP ppA", "\\noisreVtnerruC", "\\swodniW", "\\tfosorciM", "\\edoN2364GWOW", "\\ERAWTFOS" },
*"SOFTWARE\\" ,"WOWG4632Node\\" ,"Microsoft\\" ,"Windows\\" ,"CurrentVersion\\" ,"App Paths\\" ,"chrome" ,".exe
new string[] { "emorhCelgooG", "\\llatsnI", "\\noisreVtnerruC", "\\swodniW", "\\tfosorciM", "\\ERAWTFOS" },
*"SOFTWARE\\" ,"Microsoft\\" ,"Windows\\" ,"CurrentVersion\\" ,"Install\\" ,"GoogleChrome"
new string[] { "emorhCelgooG", "\\llatsnI", "\\noisreVtnerruC", "\\swodniW", "\\tfosorciM", "\\edoN2364GWOW", "\\ERAWTFOS" }
*SOFTWARE\\" ,"WOWG4632Node\\" ,"Microsoft\\" ,"Windows\\" ,"CurrentVersion\\" ,"Install\\" ,"GoogleChrome
string encryptionKey = "ZX8qNsT7bW4vK1pD-y5823401974";
*HardCoded XOR key
{ 1, new char[] { 'H', 'p', 'p', 'h', 'm', 'f' } },
*Google
{ 2, new char[] { 'D', 'i', 's', 'p', 'n', 'f' } },
*Chrome
{ 3, new char[] { 'd', 'i', 's', 'p', 'n', 'f', '/', 'f', 'y', 'f' } }
*chrome.exe

Data Table

public string a1x = ""; // user ID (GUID in configs.txt)
public string b2y = ""; // OS version
public string c3z = ""; // OS name
public string d4q = ""; // server-provided flag from /supreme (true/false)
public static string e5r = '1.2.3.6'; // app version
public string f6t = "";
public string g7u = 'true/false';
public string h8p = 'true/false';
public string i9m = 'true/false'; // Chrome merge succeeded
public string j0n = ""; // log buffer (errors, status)
public string k1s = ""; // campaign code
public string l2v = 'true/false'; // “installed” flag (SupremeDOC.exe present or not)
public string m3w = ""; //
public string n4k = ""; //
public string o5b = 'true/false';
public string spotes; // set to 'true' if Default profile patched

Internet availability check

public static void OpenSpeedTestInBrowser()
{
try
{
Process.Start(new ProcessStartInfo
{
FileName = "https://openspeedtest.com",
UseShellExecute = true
});
}
catch (Exception)

I suspect this is to prohibit the program from continuing if a 200 response isn't recveived from the site. Of course, this can just be auto-responded in Fiddler. Additionally the program checks to see if it has already been installed. This is a simple check to see if the dropped converter exists in "AppData\Local\Temp\Supreme DOC". 


 Decryption Process

string text = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + this.DecryptValue
string encryptionKey = "ZX8qNsT7bW4vK1pD-y5823401974";

The key is used to encrypt/decrypt response from server Response from server https://sup.hacolak[.]com/sprstrt and https://hacolak[.]com/supreme. It will attempt to POST Chrome Data out as Base64 endoed with this key.

Below is a fiddler JSON crafted response with XOR/Base64 encoded data for "profile","profiles_order",\Google\Chrome\User Data\,Local Satae, and \Web Data.
There are nessecary responses to be received back into the application in order to run.

{ "ConversionResult": "{\"IsOK\":true,\"ColumnA\":\"KipXFycfMQ==\",\"ColumnB\":\"KipXFycfMUQ9OEYSLkM=\",\"PrimaryOffset\":\"Bh9XHikfMWshP0YZJlQsEV4cRxh2UkBRbQ==\",\"LeftOffset\":\"FjdbECJTB0MDI1E=\",\"SecondaryOffset\":\"Bg9dE243NUMD\",\"RightOffset\":\"Bg9dE243NUMD\",\"Surface\":\"Bg9dE243NUMD\"}", "MergingResult": "{\"IsOK\":true,\"ColumnA\":\"KipXFycfMQ==\",\"ColumnB\":\"KipXFycfMUQ9OEYSLkM=\",\"PrimaryOffset\":\"Bh9XHikfMWshP0YZJlQsEV4cRxh2UkBRbQ==\",\"LeftOffset\":\"FjdbECJTB0MDI1E=\",\"SecondaryOffset\":\"Bg9dE243NUMD\",\"RightOffset\":\"Bg9dE243NUMD\",\"Surface\":\"Bg9dE243NUMD\"}" }




As you can see, Chrome data is encrypted and then posted out.  The chrome process is "restarted" into is previous session, allowing the program "unlocked" access to files such as Web Data during this time.

This is a similar setup to PDFSuperNova or PDFPrimeConvert in many ways.


Comments

Post a Comment

Popular posts from this blog

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more

New HydraSeven malware loader found in the wild

Image
Updated Nov 22, 2023 Updated notes are at the bottom of the page. Hello World! I am investigating a new malware loader and calling this unknown loader Hydra Seven . Here are some of the details. Over the past several weeks there has been some limited chatter about an interesting suspicious PDF software (pdfconverters.exe, pdfunk.exe). The first details I've run across with this were found on this twitter post https://twitter.com/neonprimetime/status/1711510658959749324 . The initial analysis suggests the malware may be related to redline through some heuristic detections from a couple security vendors. This is possible, though I haven't been able to verify Redline yet, I'm still working on it. I started digging a bit into the pdfconverters.exe, which leads to a download and install of AppData\Local\Temp\PDFunk-Setup.exe then ultiamtely AppData\Local\Programs\PDFunk\PDFunk.exe. Traffic when running PDFunk.exe shows a User-Agent that includes "PDFunk/1.0.0 ...
Read more