In October 2023 neonprimetime user reported on X (I hate this name) a possible new Redline stealer variant masquerading as a PDF converter named PdfConverters.exe (74b6039660be3eda726a4eee209679ba). This sample presents pretty interesting and unusual installation routine so I decided to take a closer look at it. WebView2 application dropper WebView2 allows you to embed web technologies (HTML, CSS, and JavaScript) in your native apps. It has been already proved this vector could be used in malicious purposes, however it is not popular among attackers. The sample is dropping such application in %TEMP%\.net\PdfConverters directory. It also creates another folder in %TEMP%\PdfConverters.WebView2 which is used as a user data directory by the app. Then it loads the application through msedgewebview2.exe PdfConverters process tree As already described by Noch Lab on his blog post , the main code of the application is written in C# and resides in app.dll (2e92db69ebdab1e5250985fc08ca87df
When compiling an application in the .NET framework, the source code is being compiled into Common Intermediate Language. Then, at runtime, the CIL code is passed through a Just In Time Compiler which translates it into the machine code. The problem is that the CIL can be very easily decompiled back (using apps like dnSpy, .NET Reflector or IlSpy) to the original source code of the application. To protect intellectual property and the source code, the applications should be somehow obfuscated. There are multiple tools which can help you with that. One of them is SmartAssembly SmartAssembly is a commercial .NET obfuscator created by Redgate. As the website says: ... [It] helps protect your application against reverse-engineering or modification, by making it difficult for a third-party to access your source code. Malware authors take advantage of the .NET framework and its compatibility with Windows environment, however they also need to protect their code to be as successful as possib