GalacticPDF: Episode IV — A New Hijacker


GalacticPDF is another PDF reader/converter application I ran across that has the look and feel of EvilAI and YAPA programs I've observed over the past year. Many of these programs have websites that have a similar look and feel to the image below:



Certificate Signer:

As with many of these programs, there is a valid certificate signer "MONKEY DIGITAL LTD". These do tend to have interesting names. Also, as far as I can tell, this one has only been used with GalacticPDF.

Google Ads:

One place I've started looking with these is in Google's Ad Transparency to see if it looks a little off, or maybe to pivot to other programs being advertised by the same advertiser. GalacticPDF is adverstied by "Kiruguard Ltd". This doesn't tell me much, but it does give me some visuals that again, look very similar to other EvilAI campaigns.



Analysis:

Honestly, at first this one had me a bit perplexed. It's a rust based program, which is something I don't have as much experience with. I did use Malcat right away, and thought I was rewarded instantly with a PE file that I could carve out of the main sample. However, that sample turned out to be PDFium.dll, used for rendering PDF files. This gives GalacticPDF real functionality that the user is looking for.


Running, GalacticPDF on my test VM didn't really do anything. I ran it through several sandboxes available, and again didn't really get any results. I did note that VirusTotal had a few domain names the sample talks to though, and I did see those in my lab.

My breakthrough on this didn't come until I ran across someone else's sandbox run. While this is a very muddied sandbox run, due to all the clicking and running of other things, it does show some very clear things. First, new behavior with GalacticPDF, where it performs taskkill, but, more importantly, I took more notice of the http traffic from the application in this sandbox run.


I noticed that every one of these connections had base64 that started with PXA, so I suspected that some sort of encoding/encryption occurs after base64 decode.

When I ran this through my own lab using x64dbg, I eventually came to  a point where I saw the following: {"appId":"K8ERMXAZUFNPSKZH","appName":"GalacticPDF","code":"8IAP","msg":"","uid":""} and "PXAmJzIMN29iZgpiCwICGmwiZnZ8Y2pzb38RHmQzNycMJD4oen5jHS88LiFZEVBgdnUbFBdUXFYjcH11egwSHXpoYzc9N214D1ofEkdaXRoPFRFP"



Here, I now had direct comparable encoded text and plain text. A simple python script helped me derive a key since I suspected XOR. I was rewarded a repeating pattern for an XOR key.

Going back into Malcat, I was able to see that this key is actually a hardcoded string.... I wish I would have noticed that earlier.


Using this key, I was able to decode the connection in the sandbox run from earlier, and took notice that this seems to profile your browser (sending data to the attacker), and it appears to hijack the browsers search engine, pointing it to kingsearchresults[.]com. We do see this in the sandbox run later, when the user who ran this opened chrome again later.



The image directly above is further charcode decoding derived from the XOR decoding of a traffic stream in the sandbox run.

I have concluded that this didn't work on my system, because I downloaded directly from Galacticpdf[.]com, rather than hitting the site through an ad campaign. I believe this is gated behavior to prevent hijacking systems that do not download this through the ad, possibly to thwart security researchers. I base this on the sandbox run where the user started the run by going to formandtemplate[.]com and clicking the ads there which led to GalacticPDF.

IOCs:

Type Indicator Context / Notes
Domain hopinpoint.com Observed in constructed endpoint paths (metrics/telemetry).
URL https://hopinpoint.com/ysawd/metr Telemetry/metrics endpoint (observed in runtime strings).
Domain pdfappup.com Observed as alternate/related infrastructure in runtime-built URLs.
Domain startlightspirit.com Observed as alternate/related infrastructure in runtime-built URLs.
Domain kingsearchresults.com Search hijack/redirect infrastructure observed in decoded network data.
Crypto / Obfuscation FRGWBESMXDAZNPOB-x3023985732 Repeating XOR key (28 bytes) used to decode Base64 blobs into JSON.
Hash (SHA-256) 4b41fa4a8f00d2e564cb2f9d8ec000f13661ea8bf8036b88b362cf8a2802e513 GalacticPDF installer




Comments

Post a Comment

Popular posts from this blog

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more

Beware of Fake 7zip Installer: upStage Proxy

Image
Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go compiled binaries, which are dropped in C:\WIndows\SysWOW64\hero.  upHero.exe appears to "upStage" hero...
Read more