cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram

Massive proxy campaign infecting 400,000 machines discovered

Researchers have uncovered a massive malware campaign that has created a botnet out of 400,000 infected machines.

user icon David Hollingworth
Fri, 18 Aug 2023
Massive proxy campaign infecting 400,000 machines discovered
expand image

According to AT&T’s cyber security blog, malware writers are taking advantage of what appears to be a paid, opt-in proxy service, but without the opt-in part.

The malware is properly signed, so it skirts around antivirus protection, and it has disabled the usual pop-up that asks if users wish to go ahead with installation or not. The proxies are also being delivered by a raft of different malware types and are probably spread by users looking for cracked versions of games and popular software.

“After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application,” said researchers at AT&T’s Alien Labs. “This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements.”

The set-up file creates two executables, one to communicate with the proxy’s command and control infrastructure and another to check for and download updated proxy applications. Persistence is maintained by creating a registry key and a scheduled task in Windows.

The proxy itself gathers a large amount of unique data from the host machine, including what processes are running and monitoring CPU usage.

What’s particularly troubling is that the paid service is making money from traffic moving through the proxy network.

“The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics,” said the Alien Labs team in a blog post.

“These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorised financial gains.”

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.