Threat actors are distributing a proxy server application through malware-infected Windows and macOS devices [3]. This poses a significant challenge as the proxy service operates over 400,000 exit nodes, some of which are compromised by malware without user knowledge [1] [4]. The cunning tactics of adversaries are evident in their targeting of macOS systems.
Description
AT&T Alien Labs has discovered that threat actors are covertly distributing a proxy server application through malware-infected Windows and macOS devices. This proxy application operates over 400,000 exit nodes [1] [4] [5], some of which have been co-opted by malware without the knowledge of the users. The malware writers silently install the proxy on infected systems [1] [4], specifically targeting users who search for cracked software and games [1]. The proxy software is designed to evade detection and gather information about the compromised systems. Along with the installation of the proxy, additional malware or adware elements are deployed [1]. In the case of macOS machines, the AdLoad adware is being used to create a residential proxy botnet [1], potentially running a pay-per-Install campaign [1] [4]. AdLoad is a large adware strain that tricks macOS users into downloading unwanted applications [1]. The rise of malware delivering proxy applications demonstrates the cunning tactics of adversaries [1] [4], particularly in targeting macOS systems. There has been a surge in threat actors advertising information stealer strains and tools to bypass macOS security functions [1] [4]. Mac users are predominantly targeted by Trojans [1] [4], Potentially Unwanted Applications [1] [4], and Adware [1] [3] [4], with EvilQuest being the most common malware targeting Macs [1] [4]. The proxy application is coded using the versatile Go programming language to ensure compatibility across multiple operating systems [2]. Inno Setup [2], a widely-used Windows installer [2], is discreetly used to install the proxy application on compromised systems [2]. The proxy application communicates with a command and control server [2], relaying specific parameters and collecting critical information about the compromised system [2]. The monetization of these malware-infused proxy servers through affiliate programs poses a significant challenge [2]. The proxy service operates over 400,000 exit nodes [1] [4] [5], some of which are co-opted by malware without user knowledge [1] [4]. Malware writers are silently installing the proxy on infected systems [1] [4], often targeting users searching for cracked software and games [1] [4]. The proxy software can target both Windows and macOS [4], with the Windows version evading detection using a valid digital signature [4]. The proxy also gathers information about the hacked systems and deploys additional malware or adware [4]. AdLoad adware is being used to corral compromised macOS machines into a residential proxy botnet [1] [4], potentially indicating a pay-per-install campaign [1] [4]. The rise of malware delivering proxy applications highlights the cunning tactics of adversaries [1] [4]. macOS systems have become a prized target [1] [4], with a surge in threat actors advertising information stealer strains and tools that can bypass macOS security functions [1] [4]. Mac users are predominantly targeted by Trojans [1] [4], Potentially Unwanted Applications [1] [4], and Adware [1] [3] [4]. EvilQuest is the most common malware targeting Macs [1] [4]. Trojans exploiting unpatched vulnerabilities pose a danger to users who delay installing security patches [4]. AdLoad malware has been found on Mac systems [6], where it uses a new proxy application payload to turn infected devices into a proxy botnet [6]. This botnet involves thousands of IP addresses and is likely part of a monetization strategy by a company offering proxy services [6]. This highlights the evolving nature of cyber threats and the need for continued vigilance in protecting against them [6].
Conclusion
The distribution of proxy server applications through malware-infected devices poses a significant challenge. The use of malware to compromise exit nodes and silently install proxies demonstrates the cunning tactics of adversaries. The targeting of macOS systems and the rise of information stealer strains and tools that bypass security functions highlight the evolving nature of cyber threats. Mac users are particularly vulnerable to Trojans, Potentially Unwanted Applications [1] [4], and Adware [1] [3] [4]. The monetization of malware-infused proxy servers through affiliate programs further complicates the issue. It is crucial to remain vigilant and promptly install security patches to mitigate the risks posed by these threats.
References
[1] https://thehackernews.com/2023/08/this-malware-turned-thousands-of-hacked.html
[2] https://www.hackread.com/windows-macos-malware-proxy-nodes/
[3] https://www.linkedin.com/pulse/malware-turned-thousands-hacked-windows-macos-pcs-proxy
[4] https://www.redpacketsecurity.com/this-malware-turned-thousands-of-hacked-windows-and-macos-pcs-into-proxy-servers/
[5] https://gixtools.net/2023/08/this-malware-turned-thousands-of-hacked-windows-and-macos-pcs-into-proxy-servers/
[6] https://www.hivepro.com/adload-malware-persists-on-mac-systems-with-new-proxy-payload/
