AppSuite PDF Editor Hacked to Execute Arbitrary Commands on The Infected System

A sophisticated malware campaign has emerged targeting users seeking free PDF editing software, with cybercriminals distributing a malicious application masquerading as the legitimate “AppSuite PDF Editor.”

The malware, packaged as a Microsoft Installer (MSI) file, has been distributed through high-ranking websites designed to appear as legitimate download portals for productivity tools.

These deceptive sites share striking similarities to previously identified trojan distribution networks, including the notorious JustAskJacky campaign.

The threat actors behind this campaign have demonstrated unprecedented boldness by submitting their malware to antivirus companies as false positives, attempting to have security detections removed.

Initially flagged as a potentially unwanted program, the application appeared to offer legitimate PDF editing functionality while concealing its true malicious nature.

The installer, created using the open-source WiX toolset, immediately downloads the actual PDF editor program from vault.appsuites.ai upon execution and acceptance of the End User License Agreement.

G Data researchers identified the malware as a classic trojan horse containing a sophisticated backdoor component.

Their analysis revealed that the application is built on the Electron framework, allowing it to function as a cross-platform desktop application using JavaScript.

The researchers noted that the malware has generated significant download activity, with over 28,000 download attempts recorded in their telemetry within a single week, highlighting the campaign’s extensive reach and potential impact on users worldwide.

The malware operates through a complex system of command-line switches that control various backdoor functionalities.

When executed without specific parameters, the application initiates an installation routine that registers the infected system with command and control servers located at appsuites.ai and sdk.appsuites.ai.

The registration process involves obtaining a unique installation ID and creating persistent scheduled tasks named “PDFEditorScheduledTask” and “PDFEditorUScheduledTask” that ensure the malware remains active on the compromised system.

Advanced Persistence and Command Execution Mechanisms

The most concerning aspect of the AppSuite PDF Editor malware lies in its sophisticated command execution capabilities and persistence mechanisms.

The malware employs multiple command-line switches that translate into what the developers internally refer to as “wc routines,” including –install, –ping, –check, –reboot, and –cleanup functions.

Each routine serves a specific purpose in maintaining system compromise and facilitating remote control.

The backdoor’s most dangerous feature is its ability to execute arbitrary commands on infected systems through server-supplied command templates.

The malware contacts sdk.appsuites.ai/api/s3/options to retrieve flexible command templates that can be dynamically adjusted by the threat actors.

This architecture allows attackers to adapt their approach based on the specific environment and security posture of each compromised system.

// Command template execution mechanism
hxxps://sdk.appsuites(dot)ai/api/s3/options

The persistence strategy involves creating multiple scheduled tasks with carefully calculated execution delays.

The primary scheduled task executes 1 day, 0 hours, and 2 minutes after installation, specifically designed to evade automatic sandbox detection systems that typically do not monitor for such extended periods.

Additionally, the malware targets popular browsers including Wave, Shift, OneLaunch, Chrome, and Edge, extracting encryption keys and manipulating browser preferences to maintain long-term access to user data and credentials.

The malware’s communication protocol utilizes AES-128-CBC and AES-256-CBC encryption for secure data transmission with command and control servers, making network-based detection significantly more challenging for traditional security solutions.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.