This analysis reveals connections between three seemingly distinct malicious programs: AppSuite, OneStart, and ManualFinder. The investigation uncovers shared server infrastructure and similar installation patterns, indicating that these programs are likely created by the same threat actor. OneStart, initially a browser based on Chromium, evolved from earlier versions that used node.exe to run malicious JavaScript. The actors behind these programs have been active for years, distributing malware disguised as various utilities such as games, recipe finders, and manual finders. The report highlights the adaptability of these threat actors, who easily morph their software to take new forms and evade detection. Author: AlienVault
Related Tags:
browser-extension
BrowserAssistant
DesktopBar
ManualFinder
OneStart
AppSuite
node.js
T1218.011
T1059.007
Associated Indicators:
BE50ABCAA65744E1D62ED858911A8ED665A4743A1F1E6DB515CBD661052BD3F9
1FF8268FA64C8F55EB750C4433C1E9E47DC7359B7FCC653215423ED3FE5D8B4D
44AD9111F14C83BE400BBA303DF5DC54AB699BB4F6E8144D052AC19812CD4FAC
7AD613DEE75DA11EF9B7A92823BDA3E290491E245956F5A192A3207A5F11D9A0
6B6FC62A294D5EF1C619D623F1CF6D735D9F191DF9EF5C745B0881B1E01B8565
90B2E64CE4C6B2A0048158755281466B60B83AC1A8B43BB28614EC67C9FE52EB
484539B10B659FB4AB48E79BB0DE0D0879153426
6A31D1CDBDCA9FA951FFF2FFD5DC3D52D45102BD
E159D860D0CFA59816C686E4A9914113