Executive Summary
A recent malware campaign delivered a proxy server application to both Windows and Mac systems, turning them into proxy exit nodes.
Key Takeaways
- A recent campaign delivered a proxy server application to both Windows and Mac systems, turning them into proxy exit nodes.
- A company charges for the proxy service on traffic that uses those machines.
- The initial attack vector appears to be cracked software or games.
- The proxy application, written in Go, is difficult to detect on Windows systems but is more easily detected on MacOS.
The Campaign
AT&T Alien Labs recently reported on a campaign where a proxy server application was delivered to numerous Windows and Mac systems, turning them into proxy exit nodes. A company charges for the proxy service on traffic that uses those machines. While the company claims all users with a proxy on their machine are willing parties, Alien Labs found the proxy being installed via malware.
The initial attack vector appears to be cracked software or games. Once the related malware compromises the victim machine, it discreetly installs the proxy application without the need for user interaction. Other malware or adware may be simultaneously installed. The proxy has been used on both Windows and MacOS devices. The proxy application, written in Go, is difficult to detect on Windows systems but is more easily detected on MacOS. On Windows systems, Inno Setup is used for proxy installation.
In addition to serving as a proxy, the application collects information about the victim machine, including processes, CPU and memory usage, and battery status. Alien Labs noted the proxy can function as a covert channel for financial gain.
IOCs
Note: Since Alien Labs used ProxyNation in the title of their post and did not provide a name for the proxy, we have chosen to refer to it as ProxyNation and use that tag to designate the related malware in our data set.
PolySwarm has multiple samples associated with this activity.
2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d
F22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
Aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7
0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8
Aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950
c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -f ProxyNation
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports