Cybersecurity researchers have uncovered a sophisticated new threat campaign that leverages a seemingly legitimate PDF editor application to transform infected devices into residential proxies.
The malicious software, distributed under the guise of productivity tools, represents an evolving approach by threat actors who are increasingly exploiting trusted software categories to establish persistent network access and monetize compromised systems.
The attack begins with files bearing the code-signing signature “GLINT SOFTWARE SDN. BHD.” which initially appears to lend credibility to the malicious payload.
However, beneath this veneer of legitimacy lies a complex infection chain that starts with JavaScript components designed to drop and execute the primary trojan, dubbed “ManualFinder.”
This multi-stage approach demonstrates the attackers’ understanding of modern security detection mechanisms and their efforts to evade traditional signature-based detection systems.
.webp "Threat Actors Weaponize PDF Editor With New Torjan to Turn Device Into Proxy 3")
ExpelSecurity analysts identified this emerging threat through their monitoring of suspicious network activities and file behavior patterns.
The researchers observed that the malware’s initial deployment strategy relies heavily on the OneStart Browser application, which has been flagged as consistently problematic software.
This browser creates scheduled tasks that execute JavaScript files from the user’s temporary directory, establishing a foothold for the subsequent malware deployment.
.webp "Threat Actors Weaponize PDF Editor With New Torjan to Turn Device Into Proxy 4")
The infection mechanism reveals a carefully orchestrated process where the JavaScript component reaches out to command and control domains, specifically mka3e8[.]com and similar infrastructure.
These domains serve as distribution points for the ManualFinder application, which maintains the same fraudulent code-signing certificate to maintain the appearance of legitimacy throughout the infection chain.
Deceptive Functionality and Proxy Operations
What makes this threat particularly insidious is its dual-purpose design that combines genuine functionality with malicious behavior.
When executed in a controlled sandbox environment, ManualFinder actually performs its advertised function of helping users locate product manuals and documentation.
This legitimate functionality serves as an effective smokescreen, potentially allowing the malware to bypass behavioral analysis systems that might otherwise flag purely malicious code.
However, the application’s true purpose becomes evident when analyzing its network behavior and system modifications.
The trojan transforms infected devices into residential proxy nodes, effectively creating a distributed network of compromised systems that can be monetized by the threat actors.
This proxy functionality allows attackers to route traffic through victim machines, potentially facilitating various illegal activities while obscuring the true source of malicious network traffic.
The malware’s persistence mechanism through OneStart Browser’s scheduled task creation ensures continued operation even after system reboots.
This approach highlights the attackers’ focus on maintaining long-term access to compromised systems rather than pursuing immediate, obvious malicious activities that might trigger user suspicion or security alerts.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
