Security Magic

In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is Zapdf , which can be found on zappdfapp[.]com. This site was also document on Northwave Cyber Security , and Nextron 's websites, both of which host numerous IOCs for similar applications. The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications. Analysis: app.any.run sandbox run  shows initial telemetry traffic POST, as well as the download of an updater binary.  Some interesting notes on this when running on a test VM. The initial application is a .NET staging application, it extracts the "benign" Zapdf.exe (also a .NET application), but not before sending some telemetry, fingerprinting the system, creating persistence, and downloading the suspicious ZapUpdater.exe .  This initial .NET loader looks very similar to other YAPAs observed in the past. Slight obfus...

GalacticPDF is another PDF reader/converter application I ran across that has the look and feel of EvilAI and YAPA programs I've observed over the past year. Many of these programs have websites that have a similar look and feel to the image below: Certificate Signer: As with many of these programs, there is a valid certificate signer "MONKEY DIGITAL LTD". These do tend to have interesting names. Also, as far as I can tell, this one has only been used with GalacticPDF. Google Ads: One place I've started looking with these is in Google's Ad Transparency to see if it looks a little off, or maybe to pivot to other programs being advertised by the same advertiser. GalacticPDF is adverstied by " Kiruguard Ltd ". This doesn't tell me much, but it does give me some visuals that again, look very similar to other EvilAI campaigns. Analysis: Honestly, at first this one had me a bit perplexed. It's a rust based program, which is something I don't have ...