Adversaries Abusing Proxyware Platforms
Cyble Research and Intelligence Labs discovered a fake site spreading Proxyware. Proxyware, also known as Internet-bandwidth sharing application, allows users to earn money by sharing a certain percentage of their internet bandwidth with the organizations that developed these applications. This site is disguised as an online streaming site and claims to provide free access to over 1500 channels worldwide through its desktop application. The Threat Actors are targeting windows users using this campaign. The figure below shows the fake streaming site.
During further investigation, we found that the application hosted on this fake streaming site which silently drops and installs Proxyware malware named “CoinSurf”. However, this application does not provide any streaming service. The dropper file installs the Proxyware using Squirrel, a framework for installing and updating desktop applications.
Detection Evasion technique:
After installation, the Proxyware further executes a PowerShell command “Add-MpPreference -ExclusionPath”, to disable Windows Defender scheduled and real-time scanning for the following folders:
- AppData\Local\CoinSurf\app-1.0.13
- AppData\Roaming\CoinSurf
The image below shows the process tree of the infection.
Persistence:
The Proxyware now creates persistence by adding its path in the following registry key to automatically start itself whenever the user logs in:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Network Communication:
Our investigation indicates that the Proxyware installed on the victim’s machine is not an original CoinSurf application. Nonetheless, it connects to original CoinSurf site for its authentication, indicating that this proxyware binary is customized by the TA. This authentication request is performed using TA’s login credentials, which will enable all the infected devices to be linked under the same TAs profile. This technique allows TA to share huge internet bandwidth from multiple devices and easily earn a mint. The below image shows the Proxyware authentication using POST request.
After authentication, This Proxyware receives the configuration from the server as shown in the figure below. The configuration contains the details of client settings to perform Proxyware operation.
The figure below shows the TA’s CoinSurf profile, which was created recently, indicating that the campaign is at the initial stage.
The figure below shows the network activity done by the Proxyware.
Conclusion
Adversaries are actively abusing Proxyware for monetary gains. We have also witnessed in this campaign how TAs are trying to infect many users using fake sites. There have been certain incidents found in the past where TAs infected victim’s with Proxyware as well as with CoinMiners. The Usage of Proxyware on corporate networks might result in a bad IP reputation.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:      
How to prevent malware infection?  
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.  
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  
- Identify the applications with auto execute permission, by going through System settings > Startup Apps
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
- Monitor the beacon on the network level to block unnecessary internet connections.  
MITRE ATT&CK® Techniques 
| Tactic   | Technique ID   | Technique Name   |
| Initial Access | T1189 | Drive-by Compromise |
| Execution    | T1204   | User Execution   |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Discovery   | T1012 T1082 | Query Registry System Information Discovery |
Indicators of Compromise (IOCs)
| Indicators  | Indicator type   | Description   |
| ec95825c3940a10ea74a833cbf7e1667 383e0d797a2eed678b60eebff3fdbcd99b55fa61 29c7ddeefe862a053b9eac65af95fcfbe736e5e46e73276ac399f1903af3ed3e | MD5  SHA1 SHA256   | Dropper |
| 3094c87436d64d172b159178f1a60707 caac51c7fd57b5ebcaded2cc3765660f82d83dfe 37696d1d18500725531bdda8ea72949736ebf24d349ff7bceee6799ed7bf19fd | MD5  SHA1   SHA256   | Dropper |
| streamtvbox[.]net | Domain | Fake Site |
| http[:]//streamtvbox[.]net/StreamTVBox[.]exe | URI | Malicious URI |
