Skip to content

Appsuite: Malicious PDF software detected by Jarviss SOC

Malware campaigns are increasingly hiding behind legitimate-looking software. Recently, the Jarviss SOC encountered a new threat that is being distributed through Google advertisements, among other methods: a seemingly innocent PDF editor that actually opens a backdoor into corporate networks.

An ordinary looking PDF editor, but appearances are deceiving

The PDF editor had been functioning like normal software for quite some time. However, at one of our customers, we noticed unexpected behavior and immediately informed them. The client indicated that the user had not performed any abnormal activities. In fact, the user wasn’t even using their device at that moment. This incident triggered an in-depth investigation

Through the investigation, the Jarviss SOC team built an Indicators of Compromise (IoC) list. The team then used this list proactively to scan the environments of other customers as well. It quickly became clear that this was a case of widespread malware, the PDF editor was visible in multiple environments.

The ultimate goal of the campaign is not yet fully clear, but its behavior points toward an information stealer or a backdoor.

 

How the attack works

Stage 1:

The malware, known by the name Appsuite, is distributed via malvertising campaigns. Users who click on the advertisements end up on a download page with the installation file “AppSuite-PDF.msi”

Once this file is executed, a usable PDF application does appear, however in the background a scheduled task is created and files are dropped: “PDFEditor.exe”, “PDFEditorSetup.exe”.

Our analysis shows that when “PDFEditor.exe” or “PDFEditorSetup.exe” is present on a system, there’s a high probability that the malware is active. Other IoCs are being investigated, but their exact impact is still uncertain.

 

Stage 2:

That scheduled task starts the process “PDFEditor.exe”  and that’s where the malicious code becomes active. This causes a command to be started daily at a fixed time that performs a ‘partialupdate’:

C:\\Users\\<user>\\PDFEditor\\PDF Editor” –cm=–partialupdate

This command ensures that various other actions are initiated. The malware uses registry queries to search for present security tools such as Bitdefender and other security tools.

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\G DATA ANTIVIRUS” /v “UninstallString””

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKLM\\Software\\Fortinet””

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “taskkill /IM chrome.exe”

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\EPISoftware EpiBrowser” /v “UninstallString””

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKCU\\Software\\CheckPoint\\ZANG””

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Bitdefender” /v “UninstallString””

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKCU\\Software\\KasperskyLabSetup””

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “taskkill /F /IM msedge.exe”

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKCU\\Software\\Zillya\\Zillya Antivirus””

C:\\WINDOWS\\system32\\cmd.exe /d /s /c “reg query “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Bitdefender” /v “UninstallString””

 

Stage 3:

A number of devices established connections with command-and-control (C2) domains after a certain period of time. Further investigation is required to determine whether this is due to a hard-coded date within the malware. Another possibility is that the malware must remain installed for a specific duration before attempting to connect to the domains.

  • 5b7crp[.]com
  • y2iax5[.]com
  • abf26u[.]com
  • mka3e8[.]com

Active detection and response from the Jarviss SOC

Within the Jarviss SOC, we are closely monitoring this threat. When the Jarviss SOC first noticed this strange behavior at one of our customers, there was not yet a single security tool that could detect this software. Using a current list of IoCs, We identify potentially infected hosts and immediately take containment measures. Jarviss has written detection rules and created blocklists based on these IoCs. Thanks to this approach, we can respond quickly and targeted, and protect organizations against further spread or data loss.

Initially, Jarviss SOC informed all MXDR/SOC customers and provided the necessary recommended actions. Since it quickly became clear that the malware was present in multiple environments, we extended our services to all XDR clients as well. Because many security tools had no detection capabilities at that time, it became apparent that XDR clients with other SOC providers were not yet aware of this threat. Jarviss SOC supported these clients by sharing the IoC list with them and, where necessary, conducting further investigation on their behalf.

At the bottom of this article you will find the IoC list compiled by Jarviss SOC during the investigation. If you see one of these IoCs in your environment, we strongly recommend engaging an Incident Response team, such as Jarviss.

Best practices for organizations

The Jarviss SOC advises IT professionals and management to be extra vigilant. Some concrete recommendations:

  • Download software exclusively from trusted suppliers or official app stores.
  • Monitor endpoints for the presence of “PDFEditor.exe”, “PDFEditorSetup.exe”, “Unstall PDF Editor.exe” and “AppSuite-PDF.msi” hashes and other related IoCs.
  • Ensure that EDR and antivirus solutions are up-to-date and can respond to unknown variants.
  • Integrate current IoC feeds into threat hunting and monitoring processes (C2, BadDomains, Hash, Signers).
  • Create awareness among employees and management about the risks of malvertising and fake software.
  • Wipe devices that have been infected with this malware.

Conclusion

Appsuite is a clear example of how cybercriminals use legitimate technologies to stay under the radar. The Jarviss SOC continues to actively monitor this threat to detect infections in a timely manner and protect organizations.

If you see one of the IoCs below in your environment, we recommend engaging an Incident Response team such as Jarviss.

Click here to download: IoC list