The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Go-Based Proxy Targets Windows and Mac Systems

Aug 28, 2023 2:57:30 PM / by The Hivemind

GO-BASED PROXY TARGETS

Executive Summary

A recent malware campaign delivered a proxy server application to both Windows and Mac systems, turning them into proxy exit nodes. 

Key Takeaways

  • A recent campaign delivered a proxy server application to both Windows and Mac systems, turning them into proxy exit nodes. 
  • A company charges for the proxy service on traffic that uses those machines. 
  • The initial attack vector appears to be cracked software or games. 
  • The proxy application, written in Go, is difficult to detect on Windows systems but is more easily detected on MacOS. 

The Campaign

AT&T Alien Labs recently reported on a campaign where a proxy server application was delivered to numerous Windows and Mac systems, turning them into proxy exit nodes. A company charges for the proxy service on traffic that uses those machines. While the company claims all users with a proxy on their machine are willing parties, Alien Labs found the proxy being installed via malware.

The initial attack vector appears to be cracked software or games. Once the related malware compromises the victim machine, it discreetly installs the proxy application without the need for user interaction. Other malware or adware may be simultaneously installed. The proxy has been used on both Windows and MacOS devices. The proxy application, written in Go, is difficult to detect on Windows systems but is more easily detected on MacOS. On Windows systems, Inno Setup is used for proxy installation.

In addition to serving as a proxy, the application collects information about the victim machine, including processes, CPU and memory usage, and battery status. Alien Labs noted the proxy can function as a covert channel for financial gain.

IOCs

Note: Since Alien Labs used ProxyNation in the title of their post and did not provide a name for the proxy, we have chosen to refer to it as ProxyNation and use that tag to designate the related malware in our data set.

 

PolySwarm has multiple samples associated with this activity.

 

2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d

F22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca

6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca

Aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7

0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8

Aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950

c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f ProxyNation

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, Windows, Mac, Proxy, Go

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More