A widespread threat campaign centered around a proxy server application targeting Windows was uncovered by researchers at AT&T Alien Labs. This discovery was an extension of earlier research detailing how AdLoad turned Mac systems into proxy exit nodes.
The attackers are leveraging this campaign to deliver a proxy service that reroutes traffic through compromised machines to use as residential exit nodes, subsequently charging for the proxy service. Alarmingly, the proxy application is digitally signed, allowing it to evade antivirus detection and remain under the radar.
While the proxy service’s website maintains that its exit nodes exclusively originate from users who have consented to such use, AT&T Alien Labs has amassed evidence suggesting that malicious actors are surreptitiously implanting the proxy in infected systems. The Windows malware found is believed to be responsible for disseminating the same payload, culminating in the formation of a colossal proxy botnet exceeding 400,000 nodes.
The proxy application, scripted in the versatile and cross-platform Go programming language, grants it the ability to be compiled into executables compatible with multiple operating systems. Although the macOS and Windows version of the malware were compiled from the same source code, the macOS version was flagged as malicious whereas the Windows version remained undetected.
They believe the Windows compiled version of the malware remained undetected due to it being digitally signed with legitimate certificate. While digital signatures can serve as a method of trust for applications, they can also provide a method for malicious application to masquerade themselves behind a fake mask of legitimacy.
The malware orchestrates the proxy’s installation in a stealthy manner, sidestepping user interaction and frequently coinciding with the installation of additional malware or adware components. In this case it installed “DigitalPulseService.exe” for proxy component and for communication with the exit node and command and control (C2) server. It also installed “DigitalPulseUpdater” for updating the proxy software.
As seen in other common malware, the installation involves generating persistence in the registry using a Run key to launch “DigitalPulseService.exe” and creating a scheduled task to run every hour to execute the updater.
Although the proxy is the primary payload responsible for the proxy server and communicating with the exit node and C2 server, the updater has the potential to wreak more havoc. Since the updater is checking for updates every hour, the threat actors could push out an update with a payload that would cause much greater damage than proxying traffic.
In an environment where innovation and malicious intent collide, the surge in malware-driven proxy applications serves as a glaring reminder of adversaries’ resourcefulness. This trend highlights the necessity for constant vigilance and adaptability in countering ever-evolving cyberthreats.