AT&T Alien Labs researchers have uncovered a massive campaign of threats that deliver a proxy server application to Windows machines. This campaign involves a company charging for proxy services on traffic that goes through compromised systems. The proxy application is silently installed by malware on infected machines without the user’s knowledge or consent. Despite being signed, the proxy application has zero antivirus detection, allowing it to evade security measures. In just one week, researchers observed over a thousand new malware samples delivering the proxy application. It is estimated that there are more than 400,000 proxy exit nodes, although it is unclear how many of them were installed by malware.
The malware strains delivering the proxy application rely on users searching for cracked software and games. The proxy is written in the Go programming language, making it compatible with various operating systems. While macOS samples of the proxy application are detected by security checks, the Windows version remains undetected, likely due to its signed status.
Once executed on a compromised system, the malware silently downloads and installs the proxy application. This process occurs alongside the installation of additional malware or adware elements. The proxy application and most of the delivering malware are packed using Inno Setup, a popular Windows installer.
The proxy application persists on the system through a run registry key and a scheduled task. It continuously communicates with its command and control server, relaying vital information about the infected machine and receiving further instructions. The proxy gathers data such as process lists, CPU and memory utilization, and battery status to ensure optimal performance and responsiveness.
The monetization of malware propagating proxy servers through an affiliate program poses a significant threat due to its formal structure and potential for rapid spread. To remove the proxy application from an infected system, specific entities need to be deleted.
This discovery highlights the cunning tactics employed by malicious actors in the ever-evolving landscape of cyber threats. The rise of malware delivering proxy applications underscores the importance of remaining vigilant and adaptable to combat these threats effectively.
