A widespread threat campaign centered around a proxy server application targeting Windows was uncovered by researchers at AT&T Alien Labs. This discovery was an extension of earlier research detailing how AdLoad turned Mac systems into proxy exit nodes.

The attackers are leveraging this campaign to deliver a proxy service that reroutes traffic through compromised machines to use as residential exit nodes, subsequently charging for the proxy service. Alarmingly, the proxy application is digitally signed, allowing it to evade antivirus detection and remain under the radar.

While the proxy service’s website maintains that its exit nodes exclusively originate from users who have consented to such use, AT&T Alien Labs has amassed evidence suggesting that malicious actors are surreptitiously implanting the proxy in infected systems. The Windows malware found is believed to be responsible for disseminating the same payload, culminating in the formation of a colossal proxy botnet exceeding 400,000 nodes.

The proxy application, scripted in the versatile and cross-platform Go programming language, grants it the ability to be compiled into executables compatible with multiple operating systems. Although the macOS and Windows version of the malware were compiled from the same source code, the macOS version was flagged as malicious whereas the Windows version remained undetected.

They believe the Windows compiled version of the malware remained undetected due to it being digitally signed with legitimate certificate. While digital signatures can serve as a method of trust for applications, they can also provide a method for malicious application to masquerade themselves behind a fake mask of legitimacy.

The malware orchestrates the proxy’s installation in a stealthy manner, sidestepping user interaction and frequently coinciding with the installation of additional malware or adware components. In this case it installed “DigitalPulseService.exe” for proxy component and for communication with the exit node and command and control (C2) server. It also installed “DigitalPulseUpdater” for updating the proxy software.

As seen in other common malware, the installation involves generating persistence in the registry using a Run key to launch “DigitalPulseService.exe” and creating a scheduled task to run every hour to execute the updater.

Although the proxy is the primary payload responsible for the proxy server and communicating with the exit node and C2 server, the updater has the potential to wreak more havoc. Since the updater is checking for updates every hour, the threat actors could push out an update with a payload that would cause much greater damage than proxying traffic.

In an environment where innovation and malicious intent collide, the surge in malware-driven proxy applications serves as a glaring reminder of adversaries’ resourcefulness. This trend highlights the necessity for constant vigilance and adaptability in countering ever-evolving cyberthreats.

In Summary: There is a significant threat campaign targeting Windows systems. It uses malware to install a program that allows network traffic to be passed through unsuspecting systems, thereby creating a botnet of connected systems, and allow for possible follow-on attacks.

Why It Matters: MSPs and their clients need to be aware of this emerging threat campaign as it demonstrates how cybercriminals are employing advanced techniques to communicate and connect through maliciously infiltrated systems, which can lead to unauthorized traffic rerouting, data compromise, and potential financial loss. The campaign’s ability to bypass antivirus detection highlights the evolving sophistication of cyberthreats, urging MSPs and clients to remain vigilant and proactive in their security strategies.