Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,491
- Points
- 113
AT&T Alien Labs discovered a massive campaign in which proxy applications were installed on at least 400,000 Windows computers. As a result, infected machines turned into residential proxies (without the knowledge and consent of their owners).
Residential proxies tend to use the IP addresses of ordinary users, not the address space of data centers, which makes them ideal for launching trading bots, as well as for attackers who want to “hide” in normal traffic, organize attacks such as credential stuffing and so on.
Some companies sell access to residential proxies and offer monetary rewards to users who agree to install proxy applications on their system.
However, AT&T Alien Labs researchers write that the 400,000 node proxy network they discovered was built using malware. Although the unnamed company behind the botnet claims that users gave their consent to install the proxy software, the researchers say the installation took place in the background and was hidden from human eyes.
“Because the proxy application is signed with a valid digital signature, it is not detected by antiviruses and remains out of the sight of security solutions,” the researchers add.
Infection begins with the launch of the bootloader, which is hidden in hacked software and games. This downloader automatically downloads and installs the proxy application in the background without any user interaction. The authors of the malware use Inno Setup with certain parameters that hide any indicators of the installation process and all the usual prompts for such cases.
Installation and fixing in the system
During the installation of the proxy client, the malware passes certain parameters to its command and control server so that the new client can be registered and included in the botnet.
The proxy client attaches itself to the infected system, adding itself to the registry for activation every time the system boots, and also creates a scheduled task to check for updates.
“After that, the proxy server continuously collects important information about the [victim's] machine to ensure optimal performance and response time,” experts say. “Data collection includes everything from process listing and CPU monitoring to memory usage and even battery monitoring.”
Data collection
Among indicators of compromise, experts list the Digital Pulse executable in %AppData%\ and a registry key with the same name in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. If any are found, the researchers recommend removing them.
The name of the scheduled task mentioned above is DigitalPulseUpdateTask and should also be removed to prevent re-infection through a client update.
In general, to protect against such attacks, researchers advise avoiding downloading pirated software and running executable files from dubious sources.
Residential proxies tend to use the IP addresses of ordinary users, not the address space of data centers, which makes them ideal for launching trading bots, as well as for attackers who want to “hide” in normal traffic, organize attacks such as credential stuffing and so on.
Some companies sell access to residential proxies and offer monetary rewards to users who agree to install proxy applications on their system.
However, AT&T Alien Labs researchers write that the 400,000 node proxy network they discovered was built using malware. Although the unnamed company behind the botnet claims that users gave their consent to install the proxy software, the researchers say the installation took place in the background and was hidden from human eyes.
“Because the proxy application is signed with a valid digital signature, it is not detected by antiviruses and remains out of the sight of security solutions,” the researchers add.
Infection begins with the launch of the bootloader, which is hidden in hacked software and games. This downloader automatically downloads and installs the proxy application in the background without any user interaction. The authors of the malware use Inno Setup with certain parameters that hide any indicators of the installation process and all the usual prompts for such cases.
Installation and fixing in the system
During the installation of the proxy client, the malware passes certain parameters to its command and control server so that the new client can be registered and included in the botnet.
The proxy client attaches itself to the infected system, adding itself to the registry for activation every time the system boots, and also creates a scheduled task to check for updates.
“After that, the proxy server continuously collects important information about the [victim's] machine to ensure optimal performance and response time,” experts say. “Data collection includes everything from process listing and CPU monitoring to memory usage and even battery monitoring.”
Data collection
Among indicators of compromise, experts list the Digital Pulse executable in %AppData%\ and a registry key with the same name in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. If any are found, the researchers recommend removing them.
The name of the scheduled task mentioned above is DigitalPulseUpdateTask and should also be removed to prevent re-infection through a client update.
In general, to protect against such attacks, researchers advise avoiding downloading pirated software and running executable files from dubious sources.
