PDFly Malware Variant Employs Custom PyInstaller Modifications to Evade Detection
A new iteration of the PDFly malware has surfaced, showcasing advanced evasion techniques that complicate traditional cybersecurity analysis. This variant utilizes a customized PyInstaller executable, effectively neutralizing standard extraction tools and hindering security teams from dissecting its code to comprehend its operational mechanisms.
The core of this evasion strategy lies in the modification of key identifiers within the PyInstaller stub and the encryption of Python bytecode through multiple protective layers. These alterations necessitate manual reverse-engineering by analysts to decrypt and analyze the malware’s components.
The initial detection of PDFly was credited to security researcher Luke Acha, who highlighted the application on social media platforms. Subsequently, a similar sample named PDFClick was identified, indicating an active development effort by threat actors to refine this technique. Both samples share a common modification strategy, suggesting a concerted campaign aimed at evading detection mechanisms.
The customized PyInstaller stub is characterized by corrupted strings and a unique magic cookie value that deviates from standard implementations. This deviation prevents automated tools like PyInstxtractor from accurately recognizing the file structure, thereby complicating the extraction process.
Analysts from Samplepedia conducted an in-depth investigation into the malware’s internal components to identify the encryption scheme. When conventional extraction tools failed to process the executable, researchers resorted to disassemblers to pinpoint the modified elements. Their analysis revealed that the encryption was not embedded within the PyInstaller stub itself but rather in separate bootstrap files responsible for archive extraction during runtime.
The developers of this malware variant implemented a sophisticated encryption algorithm to shield the PYZ archive contents from analysis. Even after modifying the PyInstxtractor script to recognize the custom magic cookie and removing validation checks, researchers found that the extracted files remained encrypted.
Further examination of the pyimod01_archive.pyc file uncovered a multi-stage decryption process involving XOR operations with two distinct keys, followed by zlib decompression and data reversal before unmarshaling the Python code objects.
Decryption Process and Technical Implementation
The encryption algorithm follows a specific sequence that must be reversed to access the malicious code:
1. First XOR Decryption: The archived data undergoes XOR decryption using a 13-byte key labeled SCbZtkeMKAvyU.
2. Zlib Decompression: The result is then passed through zlib decompression to restore the original file structure.
3. Second XOR Decryption: A second XOR operation is applied using a 7-byte key called KYFrLmy to further obfuscate the data.
4. Byte Reversal: The bytes are reversed before Python’s marshal module processes them into executable code objects.
To address this challenge, security researchers developed a generic extractor tool capable of handling multiple variants with different encryption keys. This tool automatically searches for valid cookie structures in the PE overlay and validates them by checking package length, table-of-contents offset, and Python version fields. Once located, the extractor parses the pyimod01_archive.pyc bytecode to extract XOR keys from generator expressions within the ZlibArchiveReader class, enabling automated decryption of future samples.
Implications for Cybersecurity
The emergence of this PDFly variant underscores the evolving sophistication of malware designed to evade detection and analysis. By modifying legitimate tools like PyInstaller, threat actors can create payloads that are challenging to dissect, thereby prolonging their presence within compromised systems.
This development highlights the necessity for cybersecurity professionals to continually adapt their analysis techniques and develop more robust tools capable of countering such advanced evasion strategies. It also emphasizes the importance of collaborative efforts within the cybersecurity community to share insights and develop countermeasures against emerging threats.
