New malware campaign discovered via ManualFinder

SUMMARY :

A global malware infection of Windows computers has been uncovered, stemming from software users installed themselves. The malware, disguised as legitimate PDF editors and manual finders, turns infected systems into residential proxies for malicious actors. The infection chain starts with deceptive ads posing as PDF manuals. The campaign, which appears to have ceased, was widespread due to large-scale advertising. The malware creates scheduled tasks, executes JavaScript files, and communicates with various C2 domains. It's potentially linked to the OneStart Browser, known for spreading spyware and adware. Authorities advise blocking access to related domains, checking for specific applications, and removing software signed by certain certificate issuers.

OPENCTI LABELS :

windows,javascript,certificate abuse,residential proxy,onestart browser,pdf-editor,manualfinder,trojan:win64/infostealer!msr,trojan:win32/malgent!msr


AI COMMENTARY :

1. Introduction to the New Malware Campaign The report [report] New malware campaign discovered via ManualFinder exposes a widespread global infection of Windows computers initiated by users installing seemingly legitimate utilities.

2. Infection Vector and Distribution The campaign leveraged deceptive online ads posing as PDF-editor and manualfinder tools. Once victims followed the ads they downloaded installers that deployed malicious components disguised as genuine software.

3. Technical Execution and Residual Proxy Network The payload registers scheduled tasks to launch obfuscated javascript files that communicate with multiple C2 domains. Through strategic certificate abuse these scripts transform infected machines into residential proxy nodes under attacker control.

4. Link to OneStart Browser and Malware Families Evidence suggests a connection to the onestart browser ecosystem, previously linked to adware and spyware distribution. The identified trojan:win64/infostealer!msr and trojan:win32/malgent!msr samples reveal advanced command and control techniques.

5. Indicators of Compromise and Defense Strategies Security teams should block access to known C2 domains while auditing networks for installed pdf-editor, manualfinder and onestart browser applications. A review of scheduled task entries and software signed by untrusted certificate issuers can uncover instances of certificate abuse.

6. Conclusion and Recommendations Although the campaign appears to have ceased the risk from lingering infections remains significant. Maintaining updated antivirus signatures restricting unsigned javascript execution and educating users about deceptive ads will mitigate future threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New malware campaign discovered via ManualFinder