Hackers Exploit PUP Advertisements to Silently Drop Windows Malware
Cybersecurity investigators have uncovered a stealthy campaign in which threat actors are abusing seemingly harmless potentially unwanted program (PUP) advertisements to deliver Windows malware.
The operation begins with ads promoting free tools—such as PDF editors or desktop assistants—that redirect victims to spoofed download portals. Once clicked, these sites provide installers that mask their true intent behind a decoy application.
Infection Chain
Victims who download the promoted software unknowingly trigger a scheduled task that retrieves a JavaScript loader from a temporary directory. This script is executed using Microsoft’s HTML Application Host (MSHTA), a legitimate utility often misused by attackers.
The loader then installs a decoy app called ManualFinder, designed to appear legitimate while secretly establishing persistence inside the target environment.
At first glance, ManualFinder provides limited but functional features. Beneath the surface, however, it quietly opens ports, communicates with remote servers, and lays the groundwork for further compromise—all without requiring user interaction after installation.
Command & Control Infrastructure
Expel analysts traced the JavaScript loader’s connections to suspicious domains including mka3e8.com and 5b7crp.com, both previously linked to residential proxy services. This indicates that infected machines may be repurposed into proxy nodes, allowing attackers to rent or sell access for anonymity or further malicious use.
Researchers also discovered that additional installers—OneStart Browser, AppSuite-PDF, and PDFEditor—follow the same infection blueprint. Many of these are signed with questionable digital certificates, such as those from “GLINT SOFTWARE SDN. BHD.,” lending them an air of legitimacy while bypassing basic security checks.
Beyond Proxying: Secondary Objectives
The campaign’s impact extends beyond creating proxy networks. In some cases, PDFEditor installations explicitly ask users to consent to residential proxy use in exchange for free software features—a form of forced monetization.
Other variants take a more malicious turn:
-
Browser profile modifications
-
Cookie harvesting for potential credential theft
-
Secondary persistence mechanisms to ensure reinfection
By the time defenders detect unusual MSHTA executions or hidden node.exe processes, attackers often already have persistence established.
Technical Artifacts
Investigators cataloged over 70 unique JavaScript variants, all reaching back to the same malicious domains. Persistence is maintained via scheduled tasks and silent MSI installations.
For example:
Scheduled Task for Loader Execution
Silent Installation of Decoy App
Once executed, the malware registers services and recurring tasks to ensure reinfection, making removal efforts significantly more difficult.
Why It Works
The attack leverages trusted Windows components—such as mshta.exe, msiexec.exe, and scheduled tasks—to remain stealthy and avoid common endpoint detection alerts. Running under SYSTEM context further complicates detection, as activity appears to originate from legitimate background processes.
No comments:
Post a Comment