A sophisticated backdoor in AppSuite PDF Editor that enables threat actors to execute arbitrary commands on compromised Windows systems.
Initially flagged as a potentially unwanted program due to its aggressive installation behavior, AppSuite’s true nature was revealed when its malicious components were deobfuscated and analyzed.
Threat actors exploited high-ranking PDF tool websites to distribute a deceptive MSI installer under the guise of a legitimate productivity application.
These sites, reminiscent of earlier trojan horse campaigns like JustAskJacky, direct victims to download a WiX-built MSI package.
Once executed, the installer fetches the Electron-based PDF Editor from vault.appsuites.ai into the user’s profile and establishes persistence by scheduling future executions with the --cm=--fullupdate switch.
The heart of the compromise resides in pdfeditor.js, an obfuscated JavaScript file containing the backdoor logic.
Supporting files include UtilityAddon.node, a helper DLL employed for persistence via scheduled tasks, and NSIS-based binaries that add registry autorun entries.
Only 17 of the 3,661 deobfuscated lines relate to the PDF editing GUI; the remainder drives the backdoor’s routines.
Command-Line Switches and “wc Routines”
AppSuite translates user-facing switches (e.g., --install, --ping, --check, --reboot, --cleanup) into internal “wc routines” that perform installation, cleanup, configuration polling, and command execution.
The --partialupdate and --fullupdate switches contact the command-and-control (C2) server to retrieve configurations, browser credentials, and arbitrary command templates, which are then executed on the host.
During the --install routine, the backdoor obtains a system identifier (SID) via the UtilityAddon DLL, registers with the C2 at appsuites.ai/api/s3/new, and stores the installation ID and SID in an encoded LOG1 file.
To do so, it removes all ‘-’ characters from the installation ID string and builds the encryption key by concatenating ‘276409396fcc0a23’ with the first 0x10 bytes of the processed installation ID.
It then creates two scheduled tasks—one to trigger --partialupdate after a one-day delay and another to repeatedly invoke --ping—ensuring stealth by evading sandbox time constraints.
The --cleanup routine, invoked by the uninstaller, unregisters the installation from the server and removes the scheduled tasks.
However, additional tasks created during runtime and residual backdoor access render the official uninstaller ineffective. Full remediation requires repaving the system to eliminate unauthorized persistence.
C2-Supplied Templates
The most severe capability emerges in the --check and --reboot routines. After verifying timing constraints to avoid repeated execution, the backdoor fetches encrypted command templates from sdk.appsuites.ai/api/s3/options and …/config.
These templates allow direct execution of arbitrary commands—such as registry modifications, browser preference manipulation, or launching additional malware—on the infected system.
Additional handlers target Chromium-based browsers and custom applications like OneLaunch and Wave Browser.
They exfiltrate user preferences, decrypt saved credentials via the UtilityAddon DLL, and overwrite local configuration files. Registry keys are modified or added to maintain persistence or disable security tools.
AppSuite PDF Editor is indisputably malicious, combining a functional PDF editor with a fully featured backdoor.
The audacious tactic of submitting the malware for false-positive removal highlights an emerging threat actor strategy.
Security vendors should treat suspicious “productivity tools” with heightened scrutiny, and organizations encountering AppSuite infections must repave affected machines to ensure complete removal.
Free PDF editors remain in high demand, but this incident underscores the critical need for vendor and user vigilance against trojanized software.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
