Threat actors have been adopting a less common method to generate revenue and are leveraging payloads to install proxyware services on target systems.
Proxyware is a program that allows allocating available internet bandwidth over a proxy to users that need it for various tasks, like testing, intelligence collection, content distribution, or market research. In return, bandwidth donors get cash.
According to a new report published today by researchers at South Korean company Ahnlab, new malware campaigns have emerged that install proxyware to earn money from sharing their victim’s network bandwidth.
The attackers receive compensation for the bandwidth by setting their email address for the user, while the victims might only notice some connectivity slowdowns and hiccups.
Smuggling the clients
Ahnlab observed the smuggling of installers for the services Peer2Profit and IPRoyal, while the initial infection occurs via adware like Noereklami or other malware strains.
The malware checks if the proxy client is running on the host, and it can use the “p2p_start()” function to launch it if it’s deactivated.
In the case of IPRoyal’s Pawns, the malware prefers to install the CLI version of the client instead of the GUI one, as the goal is to have the process run stealthily in the background.
In more recent observations, attackers used Pawns in DLL form and provided their emails and passwords in encoded string form, launching it with the functions “Initialize()” and “startMainRoutine()”.
Infecting MS-SQL servers too
According to Ahnlab’s report, the malware operators that make a profit using this less typical method are also targeting vulnerable MS-SQL servers to installPeer2Profit clients.
This has been going on since early June 2022, with most logs retrieved from infected systems revealing the existence of a UPX-packed database file named “sdk.mdf”.
Among the more common threats for SQL servers are cryptocurrency coin miners that perform cryptojacking. There are also plenty of instances where the threat actor uses the server as a pivoting point into the network via Cobalt Strike beacons.
The reason behind using proxyware clients is likely an increased chance to remain undetected for longer periods, which translates into larger profits. It is unclear how much money actors generate via this method, though.