Pierluigi Paganini
August 17, 2023
AT&T Alien Labs researchers uncovered a massive campaign that delivered a proxy server application to at least 400,000 Windows systems.
The experts identified a company that is charging for proxy service on traffic that goes through infected machines. The report is a continuation of a previous study conducted by AT&T Alien Labs research on Mac systems turned into proxy exit nodes by AdLoad.
Once a system is compromised, it appears online as a residential exit node belonging to users who have been informed and agreed to the use of their device. Alien Labs discovered that the proxy application is signed, it no anti-virus currently detects it.
The researchers reported that in just one week they have observed more than a thousand new malware samples in the wild delivering the proxy application. According to the proxy website, there are more than 400,000 proxy exit nodes, but it is not clear how many of them were installed by malicious code.
The proxy is written in the Go programming language to target various operating systems, including macOS and Windows.
Once installed on a compromised system, the malware download and install the proxy application. The loader is hidden in cracked software and games. The installation doesn’t require any user interaction and threat actors were observed installing also additional malware or adware elements. The proxy application is packet using the Windows installer Inno Setup.
The malware uses specific Inno Setup parameters to silently install the proxy.
“Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process.” reads the report published by AT&T. “These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.”
The proxy client creates a registry key to maintain persistence and adds a scheduled task checks for new client updates.
The proxy continuously gathers information (process list, CPU usage, memory usage, battery status, etc.) from the machine to ensure optimal performance and responsiveness.
The experts recommend to delete the following entities to remove the proxy application from the infected system:
| Type | Data | Instructions |
| Folder | “%AppData%\DigitalPulse” | To find current user “AppData” folder: Run -> %AppData% -> ENTER |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse | |
| Schedule task | DigitalPulseUpdateTask |
“The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains.” concludes the report that also includes Indicators of compromise (IOCs). “As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, proxy server application)
