Cybercrime as-a-service
,
Fraud Management & Cybercrime
,
Social Engineering
Proxy App Is Covertly Installed Via Alluring Offers or Compromised Software
Researchers said a proxy service is routing internet traffic through unsuspecting users’ systems that it turns into residential exit nodes, luring them into downloading the proxy application through offers of cracked software and games.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
Because the proxy application is signed, antivirus engines don’t detect the application, said AT&T Alien Labs in a blog post.
The unidentified proxy service asserts it has more than 400,000 proxy nodes, all operating on volunteer computers. Alien Labs said it is not clear how many are bots whose owners aren’t aware their machines are routing internet traffic.
Once the malware is executed on a compromised system, it proceeds to download and install the proxy application without user interaction.
The malware, adware elements and the proxy application in this instance are packed using Inno Setup, a free Windows installer. Researchers observed the same proxy service, which previously engaged in malicious activities involving macOS systems through the AdLoad malware, expanding operations to target Windows systems as well.
Researchers say the binaries are compatible with various operating systems, including macOS and Windows. “MacOS samples were detected by numerous security checks while the Windows proxy application skirts around these measures unseen,” the researchers said.
Using the Inno Setup parameters, the malware silently installs the proxy by disabling the Windows pop-up notification asking users if they wish to install software.
The malware also transmits specific parameters to the proxy installation process, ultimately relaying them to the proxy’s command-and-control server as part of the new peer registration process, which “plays a crucial role in identifying the origin of the proxy propagation within the command and control infrastructure,” the researchers said.
They said that the proxy app also gathers vital information from the machine to ensure optimal performance and responsiveness. It collects everything from the process list and monitoring CPU to memory utilization and even tracking battery status.