The search for new and more devious ways to make money is a neverending one for cybercriminals, and one of the more recent methods that some groups have adopted involves creating and releasing their own malicious proxyware application installers in order to install malware, cryptominers, and information stealers.
Proxyware apps are designed to allow individuals to sell access to their unused bandwidth by installing a client that then joins the app’s distributed network. Other individuals with lower bandwidth can then access higher speeds through the network. The apps offer payouts to users, but cybercrime groups have begun to take advantage of their growing popularity to make their own money. Researchers from Cisco Talos have uncovered a number of recent operations by various cybercriminals who have built trojaned installers for proxyware apps to gain a foothold on victim machines and then use that access for money making schemes.
“Throughout the course of this research, we identified a variety of different malware families being distributed under the guise of legitimate installers for applications like Honeygain. These trojanized installers enable adversaries to distribute threats like RATs, information stealers, and other malware to victims who believe they are installing legitimate applications,” researchers Edmund Brumaghin and Vitor Ventura wrote in a new report on the activity.
“In other cases, threat actors are distributing the proxyware applications to monetize victims’ network bandwidth for the purposes of generating revenue. We also observed malware that attempted to leverage victims’ CPU resources for mining cryptocurrency, while at the same time also monetizing their network bandwidth using proxyware applications.”
The methods and tactics used in these operations are commonly used to install malware, particularly the use of trojanized installers for what purport to be legitimate apps. Cybercriminals have been employing this technique for many years and it continues to be successful. And it makes sense for cybercriminals to shift this tactic to the emerging group of proxware apps, which are relatively new and not widely understood by many users.
“When I looked at the business model for these apps, it was really similar to cryptominers and it was an obvious choice for the bad guys to get involved,” Brumaghin said in an interview.
“They’re not as prevalent as cryptominers, but because these platforms are becoming more established, the adversaries are still in the early stages of adoption.”
For enterprises, the installation of any proxyware app on corporate machines could cause serious privacy and security concerns, given the shared usage model.
“We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These networks may also allow threat actors to obfuscate the source of their attacks, making them appear as if they are originating from legitimate corporate networks. Security analysts could struggle to analyze and/or respond to these attacks and render conventional network defenses that rely on reputation or IP-based blocklists ineffective,” the Talos analysis says.
Brumaghin said the abuse of proxyware platforms is likely just in its infancy.
“There’s no real barrier to entry for the criminals and the user base has gotten so large already,” he said.
This article was edited on Sept. 9 to clarify that the malicious installers are created by the attackers.