ProxyNation: The dark nexus between proxy apps and malware

Executive summary

AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.

In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.

In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.

Key takeaways:

• In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
• According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
• The application is silently installed by malware on infected machines without user knowledge and interaction.
• The proxy application is signed and has zero anti-virus detection.
• The proxy is written in Go programming language and is spread by malware both on Windows and macOS.

Analysis

In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy - relying on users looking for interesting things, like cracked software and games.

The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1) 

 

Figure 1. As  on Virus Total: Proxy application – zero detections.

After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.

Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.

As shown in the figure 2 above, the malware uses specific Inno Setup parameters to silently install the proxy by executing it with the following instructions:

• “/SP-” - Disables the pop up “This will install... Do you wish to continue?” that usually prompts at the beginning of the windows Setup.
• “/VERYSILENT” - When a setup is very silent the installation progress bar window is not displayed.
• “/SUPPRESSMSGBOXES” - Instructs Setup to suppress message boxes. The setup automatically answers common interaction messages box with the user.

Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process. These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.

The monetization of malware propagating proxy server through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread. The downloaded proxy application is packed with Inno Setup as well, and the installation script is responsible both for installing its files and persistence. (Figure 3)

Figure 3. As observed by Alien Labs: Proxy installation script.

The setup file drops two executable files:

• “DigitalPulseService.exe” - Is the proxy server itself that communicates constantly with its exit node operator for further instructions.
• “DigitalPulseUpdater” - Check and download for new proxy applications available.

The proxy persists in the system in two ways:

• Run registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse
• Windows schedule task named “DigitalPulseUpdateTask” that will be executed each hour: %AppData%\DigitalPulse\DigitalPulseUpdate.exe

The updater, which is executed through the schedule task, queries the server along with the machine unique GUID on hourly basis, to check for the presence of any update versions. (Figure 4)

Figure 4. As observed by Alien Labs: Proxy updater service.

A response from the server will include the version and download link:

{"dd":"https://digitalpulsedata.s3.amazonaws[.]com/update/pp/0.16.14/DigitalPulseService.exe","vv":"0.0.16.14"}

The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context. (Figure 5)

Figure 5. As observed by Alien Labs: Sending collected machine information to the command and control.

The proxy communicates with its command and control on port 7001 to receive further instructions. Figure 6 shows an example request from a proxy node server to get information from “www.google.de” from an infected device.

Figure 6. As observed by Alien Labs: Proxy exit node communication with its C&C.

Recommended actions

To remove the proxy application from the system, delete the following entities:

Type	Data	Instructions
Folder	“%AppData%\DigitalPulse”	To find current user “AppData” folder: Run -> %AppData% -> ENTER
Registry	HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse
Schedule task	DigitalPulseUpdateTask

 

Conclusion

In the constantly changing world of cyber threats, the intertwined relationship between innovation and malicious intent propels new strategies by nefarious actors. The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains. As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	33585aed3e7c4387a3512b93612932718e9dff2358867ba8c4ad1e8073bbce31	Malware dropper hash
SHA256	2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d	Malware dropper hash
SHA256	b0692f201e6dfdbe1b920849a31f2b9fb73db19779fdb77c660c28fa22b70a38	Malware dropper hash
SHA256	424d35bc945ea2deda177b46978bbb45af74109a988450ea4ed5fe16c1f629f9	Malware dropper hash
SHA256	518bc3b96a97a573c61934ff65cc284c3e5545c7823318918a7cb05cbb5518b1	Malware dropper hash
SHA256	417cf3f959e1040ffe13fcf21691b05ea96da5849010b0a4d17c6cecbeaef621	Malware dropper hash
SHA256	611ce42b0866c085d751c579f00b9e76c412a7d1e1ebcf998be6b666edc22416	Malware dropper hash
SHA256	801ecf29bee98e3b942de85e08ec227373a15b0a253c9c3eb870af33709f3d8d	Malware dropper hash
SHA256	7926a84dcb6ffbe93893477f7f3ad52516cfedf8def5c43686dd6737926146a7	Malware dropper hash
SHA256	3aaaa01bdd20981fdc94d52c5ac0ed762a124b0a08c22d760ab7e43554ee84dd	Malware dropper hash
SHA256	7a33d3f5ca81cdcfe5c38f9a4e5bbf3f900aa8f376693957261cdbe21832c110	Malware dropper hash
SHA256	5a11065473b9a1e47d256d8737c2952da1293f858fc399157ab34bbaadff6cb8	Malware dropper hash
SHA256	de97da00ed54a1f021019852a23b50c82408ab7a71dc0f3e6fef3680ac884842	Malware dropper hash
SHA256	dad35cdd6213381cc350688f6c287f4f3e1192526f78b9b62779acc4b03495f9	Malware dropper hash
SHA256	42ae669786b19556de65eeb1c45ec4685016b69384c21f3bbc30aaf2cddb2126	Malware dropper hash
SHA256	e79c37dc791d1bdb01524d158421efa29dcebde250f7571e9e30714496b3c06f	Malware dropper hash
SHA256	f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca	Malware dropper hash
SHA256	6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca	Malware dropper hash
SHA256	aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7	Malware dropper hash
SHA256	0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8	Malware dropper hash
SHA256	331cf0f8049fc0e68e8bd75f8efed629b41459425a971cbcec53485ba2bf4521	Malware dropper hash
SHA256	0ca119c7be4ec67355b47d8d197361e730d93153a87d09e00a68ceda340fabb0	Malware dropper hash
SHA256	db115eff8d8b013e89f398b922294b248d5d6be51d7ab60cbde3b6ff2ff3f219	Malware dropper hash
SHA256	1cff1d3a10cc36338803e37cc3c9e9121bdd8c5189ca4533d1c585715561bc4a	Malware dropper hash
SHA256	530e59f9bd99b191b54ec18eb92d6b44005e56c1dd877b4e4ce0370d3d917fb4	Malware dropper hash
SHA256	9a416904a4d942c77177770ea0680c48e5d5eddba793af3c434e4ff733daab56	Malware dropper hash
SHA256	aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950	Malware dropper hash
SHA256	3ff5e3932ba4a438c12c253ec6b00416ac6ce250173bac6be0bb8d619cea47bd	Malware dropper hash
SHA256	a10d023b10b878a09697563155799bd088ed2f797aff489b732959f917414f97	Malware dropper hash
SHA256	65a9895f5e49f8e18727fe16744c6631c0676e08499f4407b9d8c11634aae5e0	Malware dropper hash
SHA256	e07aa2d15520c6f0ab9bbbe049f48402e4b91fde59b22b5668daef2ec924a68b	Malware dropper hash
SHA256	cc3cbc8ad7f71223230a457aa2664d77b43b7f7a4988b42609ad707f0385aee3	Malware dropper hash
SHA256	cba34f77ca2a5d4dc56f4567ff1f0b2242105d532353d2868d7b2c42f1a37551	Malware dropper hash
SHA256	153de6a7d78bcce8a0cec446cdc20ec4b18ee72b74f59e76780ec5c76efddc52	Malware dropper hash
SHA256	8505c4c3d6406cc55a9492cf1a3285de9c0357691112b2ab787faa57d55d304b	Malware dropper hash
SHA256	c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41	Malware dropper hash
SHA256	550c4839f26bf81f480c5e4210be3ded43d4f8027d5d689a6fe8692c42235940	Malware dropper hash
	5324f5aae565ddc8dc2a4b574bc690cba6b35bd4bf3f63e6df14d613b68ac769	Malware dropper hash
DOMAIN	bapp.digitalpulsedata[.]com	Proxy node server

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1547: Boot or Logon Autostart Execution
      • T1547.001: Registry Run Keys / Startup Folder
    • T1053: Scheduled Task/Job
      • T1053.005: Scheduled Task
  • TTA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking