PDF Editor AppSuite Secretly Executes Unwanted Commands on Compromised Systems Due to Hack
In a recent development, a sophisticated malware campaign has emerged, preying on users seeking free PDF editing software. The malware, disguised as the legitimate "AppSuite PDF Editor," has been causing concern among cybersecurity experts.
The malicious application, built on the Electron framework, functions as a cross-platform desktop application using JavaScript. Upon execution, the installer downloads the actual PDF editor program from vault.appsuites.ai and registers the infected system with command and control servers at appsuites.ai and sdk.appsuites.ai.
G Data researchers have identified this malware as a classic trojan horse containing a sophisticated backdoor component. The malware's primary scheduled task executes 1 day, 0 hours, and 2 minutes after installation, designed to evade sandbox detection systems.
The AppSuite PDF Editor malware is linked to threat actors who exploit high-ranking PDF tool websites to distribute a deceptive installer containing a sophisticated backdoor. However, the specific group behind this malware has not been explicitly identified or named in the available sources.
The malware's most dangerous feature is its ability to execute arbitrary commands on infected systems. It operates through a complex system of command-line switches that control various backdoor functionalities, including -install, -ping, -check, -reboot, and -cleanup functions.
Each routine serves a specific purpose in maintaining system compromise and facilitating remote control. The malware contacts sdk.appsuites.ai/api/s3/options to retrieve flexible command templates.
The malware's communication protocol utilizes AES-128-CBC and AES-256-CBC encryption for secure data transmission with command and control servers, making network-based detection challenging for traditional security solutions.
The persistence strategy of the malware involves creating multiple scheduled tasks with calculated execution delays. This strategy allows the malware to remain active on infected systems, even after a reboot.
The malware has generated significant download activity, with over 28,000 download attempts recorded in a single week. It targets popular browsers including Wave, Shift, OneLaunch, Chrome, and Edge, extracting encryption keys and manipulating browser preferences.
The malware is distributed through high-ranking websites designed to appear as legitimate download portals for productivity tools. Users are advised to exercise caution when downloading software from unverified sources and to keep their systems updated with the latest security patches.
In conclusion, the AppSuite PDF Editor malware poses a significant threat to users seeking free PDF editing software. It is essential to be vigilant and practice safe downloading habits to protect against such malicious attacks.
