Adversaries Abusing Proxyware Platforms
Cyble Research and Intelligence Labs discovered a fake site spreading Proxyware. Proxyware, also known as Internet-bandwidth sharing application, allows users to earn money by sharing a certain percentage of their internet bandwidth with the organizations that developed these applications. This site is disguised as an online streaming site and claims to provide free access to over 1500 channels worldwide through its desktop application. The Threat Actors are targeting windows users using this campaign. The figure below shows the fake streaming site.
During further investigation, we found that the application hosted on this fake streaming site which silently drops and installs Proxyware malware named “CoinSurf”. However, this application does not provide any streaming service. The dropper file installs the Proxyware using Squirrel, a framework for installing and updating desktop applications.
Detection Evasion technique:
After installation, the Proxyware further executes a PowerShell command “Add-MpPreference -ExclusionPath”, to disable Windows Defender scheduled and real-time scanning for the following folders:
The image below shows the process tree of the infection.
The Proxyware now creates persistence by adding its path in the following registry key to automatically start itself whenever the user logs in:
Our investigation indicates that the Proxyware installed on the victim’s machine is not an original CoinSurf application. Nonetheless, it connects to original CoinSurf site for its authentication, indicating that this proxyware binary is customized by the TA. This authentication request is performed using TA’s login credentials, which will enable all the infected devices to be linked under the same TAs profile. This technique allows TA to share huge internet bandwidth from multiple devices and easily earn a mint. The below image shows the Proxyware authentication using POST request.
After authentication, This Proxyware receives the configuration from the server as shown in the figure below. The configuration contains the details of client settings to perform Proxyware operation.
The figure below shows the TA’s CoinSurf profile, which was created recently, indicating that the campaign is at the initial stage.
The figure below shows the network activity done by the Proxyware.
Adversaries are actively abusing Proxyware for monetary gains. We have also witnessed in this campaign how TAs are trying to infect many users using fake sites. There have been certain incidents found in the past where TAs infected victim’s with Proxyware as well as with CoinMiners. The Usage of Proxyware on corporate networks might result in a bad IP reputation.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Identify the applications with auto execute permission, by going through System settings > Startup Apps
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block unnecessary internet connections.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1189||Drive-by Compromise|
|Persistence||T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Query Registry |
System Information Discovery
Indicators of Compromise (IOCs)