Executive summary
AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.
In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.
In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.
Key takeaways:
- In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
- According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
- The application is silently installed by malware on infected machines without user knowledge and interaction.
- The proxy application is signed and has zero anti-virus detection.
- The proxy is written in Go programming language and is spread by malware both on Windows and macOS.
Analysis
In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy - relying on users looking for interesting things, like cracked software and games.
The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1)
Figure 1. As on Virus Total: Proxy application – zero detections.
After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.
Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.
As shown in the figure 2 above, the malware uses specific Inno Setup parameters to silently install the proxy by executing it with the following instructions:
- “/SP-” - Disables the pop up “This will install... Do you wish to continue?” that usually prompts at the beginning of the windows Setup.
- “/VERYSILENT” - When a setup is very silent the installation progress bar window is not displayed.
- “/SUPPRESSMSGBOXES” - Instructs Setup to suppress message boxes. The setup automatically answers common interaction messages box with the user.
Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process. These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.
The monetization of malware propagating proxy server through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread. The downloaded proxy application is packed with Inno Setup as well, and the installation script is responsible both for installing its files and persistence. (Figure 3)
Figure 3. As observed by Alien Labs: Proxy installation script.
The setup file drops two executable files:
- “DigitalPulseService.exe” - Is the proxy server itself that communicates constantly with its exit node operator for further instructions.
- “DigitalPulseUpdater” - Check and download for new proxy applications available.
The proxy persists in the system in two ways:
- Run registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse
- Windows schedule task named “DigitalPulseUpdateTask” that will be executed each hour: %AppData%\DigitalPulse\DigitalPulseUpdate.exe
The updater, which is executed through the schedule task, queries the server along with the machine unique GUID on hourly basis, to check for the presence of any update versions. (Figure 4)
Figure 4. As observed by Alien Labs: Proxy updater service.
A response from the server will include the version and download link:
|
{"dd":"https://digitalpulsedata.s3.amazonaws[.]com/update/pp/0.16.14/DigitalPulseService.exe","vv":"0.0.16.14"} |
The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context. (Figure 5)
Figure 5. As observed by Alien Labs: Sending collected machine information to the command and control.
The proxy communicates with its command and control on port 7001 to receive further instructions. Figure 6 shows an example request from a proxy node server to get information from “www.google.de” from an infected device.
Figure 6. As observed by Alien Labs: Proxy exit node communication with its C&C.
Recommended actions
To remove the proxy application from the system, delete the following entities:
|
Type |
Data |
Instructions |
|
Folder |
“%AppData%\DigitalPulse” |
To find current user “AppData” folder: |
|
Registry |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse |
|
|
Schedule task |
DigitalPulseUpdateTask |
|
Conclusion
In the constantly changing world of cyber threats, the intertwined relationship between innovation and malicious intent propels new strategies by nefarious actors. The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains. As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.
Associated Indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
|
TYPE |
INDICATOR |
DESCRIPTION |
|
SHA256 |
33585aed3e7c4387a3512b93612932718e9dff2358867ba8c4ad1e8073bbce31 |
Malware dropper hash |
|
SHA256 |
2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d |
Malware dropper hash |
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
-
- TA0001: Initial Access
- T1189: Drive-by Compromise
- TA0003: Persistence
- T1547: Boot or Logon Autostart Execution
- T1547.001: Registry Run Keys / Startup Folder
- T1053: Scheduled Task/Job
- T1053.005: Scheduled Task
- T1547: Boot or Logon Autostart Execution
- TTA0007: Discovery
- T1082: System Information Discovery
- TA0011: Command and Control
- T1090: Proxy
- T1571: Non-Standard Port
- TA0040: Impact
- T1496: Resource Hijacking
- TA0001: Initial Access
Article Link: ProxyNation: The dark nexus between proxy apps and malware