Skip to main content

Posts

Showing posts from November, 2023

Fake PDF converter leading to malicious Electron application through a WebView2 ⤜(ⱺ ʖ̯ⱺ)⤏

In October 2023  neonprimetime user reported on X (I hate this name) a possible new Redline stealer variant masquerading as a PDF converter named PdfConverters.exe (74b6039660be3eda726a4eee209679ba). This sample presents pretty interesting and unusual installation routine so I decided to take a closer look at it. WebView2 application dropper WebView2  allows you to embed web technologies (HTML, CSS, and JavaScript) in your native apps. It has been already proved  this vector could be used in malicious purposes, however it is not popular among attackers. The sample is dropping such application in %TEMP%\.net\PdfConverters directory. It also creates another folder in %TEMP%\PdfConverters.WebView2 which is used as a user data directory by the app. Then it loads the application through msedgewebview2.exe  PdfConverters process tree As already described by Noch Lab on his blog post , the main code of the application is written in C# and resides in app.dll (2e92db69ebdab1e5250985fc08ca87df