Skip to main content

Next Pdf Converter PUA

1. Overview

This post describes a PUA similar to the sample mentioned in the following article.
https://www.c2server.xyz/2023/09/net-in-javascript-fake-pdf-converter.html

If you would like to know more about the previous sample, the following articles are excellent. Thanks to the article for following up on the deficiency of my previous post.
https://www.themalwareanalyst.com/2023/11/fake-pdf-converter-leading-to-malicious.html
https://security5magics.blogspot.com/2023/10/interesting-customloader-observed-in.html

2. Sample

This sample can be downloaded from the following URL.
https://www.free-pdf-convert[.]com/

The this sample operations are as follows. This sample also uses WebView2 like the previous sample.

The single page app works as PDF converter as follows. In other words, this sample does not run WebView2 in hidden mode.

How is this single page application implemented? The main implementation of this app can be found at https://pdf.activegn.com/js/app.[xxxxxx].js. Analyzing js file has always been a pet hate of mine, but it is much easier than the previous sample.

This app uses the following API endpoints to convert jpg and other files to pdf files. It seems to be a legitimate pdf converter as it appears to be. I did not find any process that sent file to the attacker's infrastructure. What is malicious with this?
URLDescription
https://api.cloudconvert.com/v2/import/uploadCreate upload task
https://eu-central.storage.cloudconvert.com/tasksUpload file
https://api.cloudconvert.com/v2/convertConvert uploaded file to pdf
https://api.cloudconvert.com/v2/export/urlCreate export task
https://sync.api.cloudconvert.com/v2/tasks/[GUID]Download file

3. cloudconvert API

The app uses hard-coded Bearer token to interact with the API. This token has task.write and task.read permissions, which are used for tasks that convert files.

In the same way, I create Bearer token and try to convert a test file to PDF file. Unless deleting the export task, I was able to download the converted files from cloudconvert dashboard. This means that the developer of this app cloud access to the converted pdf file.

4. Conclusion

Finally, the analysis results indicate potential file theft, but cannot be labeled as completely malicious. However, this file clearly appears to be unwanted and I recommend that you remove it if this sample is running on your host.

5. IoC

The IoC is shown below. It may also be interesting to look at the various API endpoints associated with cloudconvert at hunting. In particular, eu-central.storage.cloudconvert.com can host any files and will be used for malware download site.
IoCType
www.free-pdf-convert.comPUA download site
pdf.activegn.comPUA app site
DE08BBD33EF34AF776C6F101BAFAC7759EEE2C331FB8BB7309F6F6AE9C8AA866free-pdf-convert.exe SHA256 hash
F41D8F573FAB3C9F2ABEBD9FB8C518917A1B8F90BF5CD406ED89D67C40CDBF16FreePDFConverter.exe SHA256 hash
Labels:

Comments

Post a Comment

Popular posts from this blog

.NET in JavaScript, Fake PDF Converter

1. Overview I found a site that distributes curious PDF converter. The executable file distributed at this site appears to be malicious and have several interesting features. ・ .NET Anti-Analysis ・ Execution of external JavaScript payload with WebView2 ・ .NET object manipulation from JavaScript code This post will mention these techniques. The execution flow of this executable is shown below. 2. .NET Anti-Analysis PdfConverters.exe analyzed in this article was created with .NET Core. .NET Core allows developer to embed runtime and libraries into a single executable file. This executable also contains a number of files, which are extracted at execution time into a folder under %TEMP%\PdfConverters. A good way to know the role of these files is to look at [AppName].deps.json. app.deps.json reveals that main functionality of this executable exists in app.dll. [app.deps.json] ... "app/1.0.0": { "dependencies": { "Microsoft.
Post a Comment
Read more

CommandLine rewriting and Reflective loading

1. Overview This article describes the following topics. ・Commandline rewriting technique ・Applying new command line to reflective loaded PE file's context My goal was to develop loader that load PE file from URL and launch PE file in memory with new commandline context. This is stealth since it leaves no final payload on filesystem. Since this is a topic that has been described exhaustively, this post does not describe downloading PE file and reflective load. This article does not show the full code to prevent abuse. 2. Commandline rewriting When this loader starts, loader's commandline is "loader.exe [c2url] [newcommand]". This loader needs to load the PE file into memory and patch memory so that [newcommand] is handled as the first argument. The commandline is included in RTL_USER_PROCESS_PARAMETERS structure, which is pointed to by ProcessParameters member of PEB structure. PEB is very important structure in the process. I believe it will work
Post a Comment
Read more

ShimCache (AppCompatCache) Internals

1. Overview ShimCache (AppCompatCache) is artifact that exists in Windows SYSTEM registry. This artifact records program execution but not execution time. Nevertheless, it is valuable artifact on Windows Server hosts where prefetch is not recorded by default or Windows hosts where prefetch has been removed. This article describes the following topics. ・Information in ShimCache (Forensics) ・Reverse engineering on ShimCache mechanism (Redteaming) 2. Information in ShimCache Shimcache is recorded under following subkey. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache Shimcache data is binary format and composed of 52 byte header and multiple entries in Windows 10 (ver 2004). The format of the entry is as follows. Field Type Offset Description Signature DWORD 0x00 31 30 74 73 (10ts) CRC32 Hash DWORD 0x04 Entry Size DWORD 0x08 Path Size WORD 0x0C Path field's data length Path WString 0x0E PE file path Modified Time FILETIME NTFS $SI mo
Post a Comment
Read more