New HydraSeven malware loader found in the wild

Updated Nov 22, 2023
Updated notes are at the bottom of the page.

Hello World! I am investigating a new malware loader and calling this unknown loader Hydra Seven. Here are some of the details.

Over the past several weeks there has been some limited chatter about an interesting suspicious PDF software (pdfconverters.exe, pdfunk.exe). The first details I've run across with this were found on this twitter post

The initial analysis suggests the malware may be related to redline through some heuristic detections from a couple security vendors. This is possible, though I haven't been able to verify Redline yet, I'm still working on it. I started digging a bit into the pdfconverters.exe, which leads to a download and install of AppData\Local\Temp\PDFunk-Setup.exe then ultiamtely AppData\Local\Programs\PDFunk\PDFunk.exe.

Traffic when running PDFunk.exe shows a User-Agent that includes "PDFunk/1.0.0 " along with some connections to a variety of suspicious domains. Additionally, when PDFunk runs, it launches several other PDFunk processes, only one of these processes is making the network calls. At some point PDFunk also appears to perform some sort of update when it runs command line option "AppData\Local\Programs\PDFunk\PDFunk.exe --stp".

Wanting to understand a bit more, I did a quick search online for any additional information before continuing on with any further investigation on my own, what I found was a very interesting write-up from nochlab

This writeup helps to see some execution flow, indeed when we launch Pdfconverters.exe we do see execution of "msedgewebview2.exe". We also see several files loaded/dropped from AppData\Local\Temp\.net\PdfConverters\. Including the app.dll which nochlab detailed. App.dll can be found here:

So, this is where things start to get interesting. Nochlab talked about main.js, but didn't go too far in-depth on it. I decided to grab a copy of main.js using fiddler with HTTPS decrypt. The original file which is highly obfuscated can be found here

I was able to get bits and pieces of this deobfuscated. Here are some of the interesting details I've observed so far.

The following data suggest that main.js watches for analysis tools currently running. Presumably main.js then changes it's execution. I will work on this later and update. Here are those strings:

A = 'apimonitor-x64;apimonitor-x86;autopsy64;autopsy;autoruns64;autoruns;autorunsc64;autorunsc;binaryninja;blacklight;cff explorer;cutter;de4dot;debugview;diskmon;dnsd;dnspy;dotpeek32;dotpeek64;dumpcap;evidence center;exeinfope;fakedns;fakenet;ffdec;fiddler;fileinsight;floss;gdb;hiew32demo;hiew32;hollows_hunter;idaq64;idaq;idr;ildasm;ilspy;jd-gui;lordpe;officemalscanner;ollydbg;pdfstreamdumper;pe-bear;pebrowse64;peid;pe-sieve32;pe-sieve64;pestudio;peview;ppee;procdump64;procdump;processhacker;procexp64;procexp;procmon;prodiscoverbasic;py2exedecompiler;r2agent;rabin2;radare2;ramcapture64;ramcapture;reflector;regmon;resourcehacker;retdec-ar-extractor;retdec-bin2llvmir;retdec-bin2pat;retdec-config;retdec-fileinfo;retdec-getsig;retdec-idr2pat;retdec-llvmir2hll;retdec-macho-extractor;retdec-pat2yara;retdec-stacofin;retdec-unpacker;retdec-yarac;rundotnetdll;sbiesvc;scdbg;scylla_x64;scylla_x86;shellcode_launcher;sysmon64;task explorer;task explorer-x64;tcpdump;tcpvcon;tcpview;vboxservice;win32_remote;win64_remotex64;windbg;windump;winhex64;winhex;winobj;wireshark;x32dbg;x64dbg;xwforensics64;xwforensics;vmtoolsd;prl_cc;prl_tools;prl_tools_service'.split( ';' ),

There are several other strings which appear to reference some level of data collection and other interesting strings.

System.Text.StringBuilder domainName
string systemName
string accountName
eudp = Environment.ExpandEnvironmentVariables("%localappdata%\\\\Microsoft\\\\Edge\\\\User Data
ShowWindow(process.MainWindowHandle, 3);
cudp = Environment.ExpandEnvironmentVariables("%localappdata%\\\\Google\\\\chrome\\\\User Data"
RegistryKey hkcuu = Registry.CurrentUser.OpenSubKey(hku, true);\n if (hkcuu == null) {\n
start /min cmd /c \\"reg delete {0}\\\\{1} /f & start {2}\\"", hkcuu, nm, unu);\n\n
IntPtr hss = CreateToolhelp32Snapshot(2, 0);\n\n
[DllImport("user32.dll", CharSet = CharSet.Auto,
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]\n
hhkMouse = SetWindowsHookEx(14, hhkMouseProc, GetModuleHandle(mod.ModuleName), 0U);\n

Perhaps even more interesting is the following listing of domains and software applications, which appear to all be part of the same campaign. Each has the /main.js and have similar download pages to the pdfconverters.

var I = {} I[''] = 'pdf_converter'
I[''] = 'gif_maker'
I[''] = 'screen_recoder'
I[''] = 'video_downloader'
I[''] = 'pdf_converterz'
I[''] = 'zip_extractor'

createmygif.exe can be found here for example:

This exhibits similar behaviors to pdfconverters.exe, including the loading of app.dll found here

Upon install on my VM, the entire screen turns blue and indicates "Preparing for installation......It may take a few minutes" with this command in main.js (await T(3000)) it looks like it mat take a few minutes. The "installing" spinning GIF on this screen is also from the main.js file as a base64 encoded image. I haven't had time to let this process finish, let it run for 15 mintues before I had to leave it, I am currently under teh assumption that this process currently is used in this way to evade sandboxes by runnign for a longer period of time than most sandboxes will run. More details and updates to follow.

I will look more in-depth at the pdfunk process that is installed, and what traffic is being sent over the interesting domains in this case, I suspect pdfconverters.exe, createmygif.exe, videodownload.exe, and the others are all custom loaders which use this main.js from their respective applications, and may lead to any number of malware families. Again, more to follow.

PDFUNK Screenshots from Fiddler:

YARA signature for app.dll

I recently came across a couple of interesting articles regarding PDFPower/MediaArena. These Malware/PUA's have very similar naming conventions for executables and domains, and even similar looking download pages. However, that appears to be where the similarity ends. Perhaps HydraSeven loader is a new way to advance a similar or even the same campaign. Is this an evolution to the MediaArena campaign? I don't know, but it's worth reading the following analysis and observing some of the similarities.

Northwave CyberSecurity analysis of MediaArena
RelianceCyber analysis on MediaArena

man.js 3ea1a0e3ebeb32d2c83af2c23855efd8
pdfconverters.exe 2e92db69ebdab1e5250985fc08ca87df
USER AGENT contains PDFunk/1.0.0

Update November 13, 2023
PDFunk use Electron. Under the Appdata\Local\Programs\PDFunk\resources folder there is a file called app.asar. This file can be more easily read by unpacking its contents using a 7-Zip plugin called Asar7z
There are some intersting finds, such as main.js has a section under setTimeout which looks very similar as index.js. I ran these through JSbeutify and deobfuscator, the file can be found here and here

Update November 16, 2023
Adding a new write-up from The Malware Analyst Blog

Update November 22, 2023
There are a couple interesting new domains that contain several similarities and wording to previous hydraseven downloader pages. The downloads for these pages don't seem to be active yet. These pages include.