Cybercrime as-a-service , Fraud Management & Cybercrime , Social Engineering

Malware Is Turning Windows Machines Into Proxies

Proxy App Is Covertly Installed Via Alluring Offers or Compromised Software
Malware Is Turning Windows Machines Into Proxies
Image: Shutterstock

Researchers said a proxy service is routing internet traffic through unsuspecting users' systems that it turns into residential exit nodes, luring them into downloading the proxy application through offers of cracked software and games.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Because the proxy application is signed, antivirus engines don't detect the application, said AT&T Alien Labs in a blog post.

The unidentified proxy service asserts it has more than 400,000 proxy nodes, all operating on volunteer computers. Alien Labs said it is not clear how many are bots whose owners aren't aware their machines are routing internet traffic.

Once the malware is executed on a compromised system, it proceeds to download and install the proxy application without user interaction.

The malware, adware elements and the proxy application in this instance are packed using Inno Setup, a free Windows installer. Researchers observed the same proxy service, which previously engaged in malicious activities involving macOS systems through the AdLoad malware, expanding operations to target Windows systems as well.

Researchers say the binaries are compatible with various operating systems, including macOS and Windows. "MacOS samples were detected by numerous security checks while the Windows proxy application skirts around these measures unseen," the researchers said.

Using the Inno Setup parameters, the malware silently installs the proxy by disabling the Windows pop-up notification asking users if they wish to install software.

The malware also transmits specific parameters to the proxy installation process, ultimately relaying them to the proxy's command-and-control server as part of the new peer registration process, which "plays a crucial role in identifying the origin of the proxy propagation within the command and control infrastructure," the researchers said.

They said that the proxy app also gathers vital information from the machine to ensure optimal performance and responsiveness. It collects everything from the process list and monitoring CPU to memory utilization, even tracking battery status.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.