Zapdf is another suspicious PDF converter


In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is Zapdf, which can be found on zappdfapp[.]com. This site was also document on Northwave Cyber Security, and Nextron's websites, both of which host numerous IOCs for similar applications.


The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications.

Analysis:

app.any.run sandbox run shows initial telemetry traffic POST, as well as the download of an updater binary. 


Some interesting notes on this when running on a test VM. The initial application is a .NET staging application, it extracts the "benign" Zapdf.exe (also a .NET application), but not before sending some telemetry, fingerprinting the system, creating persistence, and downloading the suspicious ZapUpdater.exe

This initial .NET loader looks very similar to other YAPAs observed in the past. Slight obfuscation of chrome strings, telemetry, UID file creation, and more.





The scheduled task is interesting, it sets an execution command to "AppData\Local\Zapdf\ZapUpdater\ZapUpdater.exe", set to ruin daily if network is vailable, timeout is set for 72 hours (very interesting), and is set to retry every 10 minutes on failure. 

At this point, everything can be seen in Fiddler, however, the ZapUpdater is not seen in fiddler, this application is not .NET, it appears to be C++. Observable traffic in wireshark, and VirusTotal show traffic to livilev[.]com, specifically to /report and /authorize.

I can however rub this through x64dbg to enrich analysis. 

Mutex


Network Data 
User-Agent for this is :"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

Unfortunately, when getting to livilev[.]com/report I don't seem to see anything past fetcher_log. I suspect some gatekeeping that I have not gotten past, but I suspect that like other YAPAs in the past, the server side could send remote code execution through the updater (not confirmed for zapupdater). 

I want to note that fether_log is also seen with other YAPA style Updaters, notfoundsec, and PDFSkills. This is further evidence of Zapdf, primarily it's updater, being part of the same family/campaign as other malicious applications observed in the past. 




Comments

Post a Comment

Popular posts from this blog

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more

Beware of Fake 7zip Installer: upStage Proxy

Image
Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go compiled binaries, which are dropped in C:\WIndows\SysWOW64\hero.  upHero.exe appears to "upStage" hero...
Read more