New malware campaign discovered via ManualFinder

Seemingly innocuous tools to search manuals called "manualfinder" as well as applications for being able to edit PDF files, often findable high in search results or distributed by Internet ads, were found to exhibit malware behavior only after installation.

Situation

Tools and applications for downloading manuals and being able to edit PDF files were found to be frequently installed by users on Windows systems. Over time, when malware activity was detected coming from these software applications, it caused a large number of alerts to SOCs and cybersecurity firms worldwide.

This malware allows the victim's system to be abused as a so-called "residential proxy" by malicious actors, who in this way can mask their activities and make it appear as if the victim is performing the malicious actions.

• Website GBHackers posted on Aug. 21 about the discovery of a complex campaign in which a malicious actor installs software on compromised machines. These machines then become residential proxies and can be used for malicious acts and digital attacks.

• The malware, disguised as a legitimate PDF editor, once installed, creates a scheduled task (sys_component_health_) that executes a JavaScript file daily with node.exe.

• The file name of the JavaScript file starts with a GUID with "or", "ro" or "or" after it (for example: 9b432b63-2446-f55d-4997-88f977d7047275bdor.js).

• Within the campaign, the JavaScript file communicates with several C2 domains including y2iax5[.]com, 5b7crp[.]com and mka3e8[.]com.

• The JavaScript file installs ManualFinder with msiexec. ManualFinder can be used to look up manuals on the Internet, but also includes proxy functionality.

• Affected malware samples were found to be signed with certificates issued by "GLINT SOFTWARE SDN. BHD", "ECHO INFINI SDN. BHD." and "Summit Nexus Holdings LLC" (1) Whether these companies are directly linked to the malware campaign, or whether malicious actors managed to make use of a certificate in their name, is unknown at this time

Clarification

• Currently, the start of the infection chain seems to be rogue advertisements, which impersonate a PDF manual searched for by the user. In addition, they take advantage of the convenience brought by free PDF editors: in exchange for free services, IP addresses are used in residential proxy networks. It is currently not clear whether in all cases residential proxy software is downloaded when these tools are installed.... It has also been seen by researchers that in some cases the software interacts with data in the browser. The degree of interaction and possible access to other aspects of the browser is currently under investigation.

• There seems to be a connection to OneStart Browser. This tool is often included in bundles with other software, but is described by several AntiVirus venders as a Potentially Unwanted Application (PUA). OneStart is more often associated with the distribution and installation of SpyWare and AdWare.

• It seems that a high number of infections could have occurred because ads were widely seen. When the ad was clicked, the malware was downloaded onto the device. So it was easy to get infected by this campaign.

• Currently, the campaign appears to be at a standstill and virtually no new activity has been observed.

Action perspective

• Look for instructions from the certificate issuers below within your area. (2)

• Remove software signed by the listed certificate issuers from your systems.

• Examine scheduled tasks (scheduled tasks) that execute JavaScript using NodeJs (node.exe) and remove them.

• Microsoft detects the malware as Trojan:Win32/Malgent!MSR or Trojan:Win64/InfoStealer!MSR

• Check your environment for clues that match the IOCs (Indicators of Compromise) provided.

• Block the related files through your EDR solution.

• Block the domains in use in this case.