A new version of the PDFly malware has surfaced that uses sophisticated techniques that put conventional analysis methods to the test. Standard extraction tools are rendered inoperable by the malware's use of a modified PyInstaller executable. Security teams find it challenging to analyze the code and comprehend the threat's mechanism as a result.

The altered version requires analysts to manually reverse-engineer the decryption process because it encrypts Python bytecode using multiple layers of protection and modifies key identifiers. Learn more Exploit for Cybersecurity Software for detecting malware Features of the security author Protection against phishing Tools for digital forensics Solutions for data security Malware exploited online Security researcher Luke Acha first made reference to PDFly on social media.

Threat actors are actively developing this technique, as evidenced by the discovery of a similar sample known as PDFClick. Since both samples use the same fundamental modification technique, they are a part of a larger effort to avoid detection. Because the modified PyInstaller stub uses a unique magic cookie value that is different from standard implementations and contains corrupted strings, automated tools like PyInstxtractor are unable to identify the file structure.

Following a thorough examination of the malware's internal components, Samplepedia analysts were able to identify the encryption scheme. Researchers had to use disassemblers to examine the file in order to find the modified elements when standard extraction tools were unable to process the executable.

The analysis showed that the encryption was implemented in distinct bootstrap files that manage archive extraction at runtime rather than in the PyInstaller stub itself. To prevent analysis of the PYZ archive contents, the malware developers used a sophisticated encryption algorithm. Researchers discovered that extracted files remained encrypted after removing validation checks and altering the PyInstxtractor script to recognize the custom magic cookie.

Custom magic value displayed in the modified PyInstaller cookie structure (Source: Samplepedia) Subsequent examination of the pyimod01_archive.pyc file demonstrated a multi-phase decryption procedure that included XOR operations with two distinct keys, data reversal and zlib decompression, and finally unmarshaling the Python code objects.

Procedure for Decryption and Technical Execution To access the malicious code, the encryption algorithm must be reversed. First, a 13-byte key called SCbZtkeMKAvyU is used to XOR decrypt the stored data. The original file structure is then restored by running the result through zlib decompression.

To further obfuscate the data, a second XOR operation applies a 7-byte key called KYFrLmy. Learn more Use Phishing defense service Tools for digital forensics News stories about cybersecurity A guide to cloud-based hacker tools Software for vulnerability scanners Tools for cloud security Security software for macOS Planning guides for incident response Before being processed into executable code objects by Python's marshal module, the bytes are lastly reversed.

Python bytecode disassembly demonstrating the implementation of XOR decryption (Source: Samplepedia) A general extractor tool was created by security researchers to manage various variations with various encryption keys. By examining package length, table-of-contents offset, and Python version fields, the tool automatically looks for and verifies valid cookie structures in the PE overlay. Once found, the extractor parses the pyimod01_archive.pyc bytecode to extract XOR keys from generator expressions inside the ZlibArchiveReader class, allowing future samples to be automatically decrypted.

LinkedIn and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.