Massive 400,000 Proxy Botnet Built With Stealthy Malware Infections

Cyber Security Threat Summary:
Researchers have discovered a widespread operation that distributed proxy server applications to over 400,000 Windows systems. These devices function as residential exit nodes without obtaining users’ permission, and a company is making money by charging for the proxy traffic that passes through these machines. Threat actors find residential proxies useful for carrying out extensive credential stuffing attacks using new IP addresses. However, these proxies also have legitimate uses, such as ad verification, data extraction, website testing, and privacy focused rerouting. Certain proxy providers sell access to residential proxies and incentivize user with financial rewards in exchange for sharing their bandwidth.

In a recent report, AT&T Alien Labs has stated that the network of 400,000 nodes serving as proxies was established through the distribution of harmful payloads that carried the proxy application. “Despite the company behind the botnet claiming that users gave their consent, the researchers discovered that the proxy installed silently on the devices."In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies," the researchers added. The same company controlled exit nodes created by a malicious payload called AdLoad that targeted macOS systems, which AT&T reported last week. In fact, the two Go-based binaries (for macOS and Windows) appear to originate from the same source code, however, the Windows proxy client evades antivirus detection due to using a valid digital signature (BleepingComputer, 2023).

The infection process commences when a concealed loader within cracked software and games is ran. The loader then silently downloads and installs the proxy application in the background, without requiring any input from the user. The creators of the malware utilize inno setup with customized settings to ensure that the installation procedure remains undetectable and avoids the usual prompts visible to users. While the proxy client is being installed, the malware transmits specific parameters to both the command and control server and the newly established client. This facilitates the registration of the client and its integration into the botnet.

Security Officer Comments:
The proxy client establishes persistence on the compromised system by generating a registry entry that triggers its activation during system startup. Additionally, it inserts a scheduled task to periodically search for updates to the client. According to the AT&T report, the proxy consistently collects essential data from the device to maintain peak performance and responsiveness. This encompasses details like the list of running processes, CPU Monitoring, memory usage, observation , and even monitoring the battery status.

Suggested Correction(s):
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.