Breach Notification , Endpoint Security , Incident & Breach Response
Attackers Are Selling Their Victims’ Internet BandwidthReport Claims Criminals Are Abusing Proxyware Service
Security firm Cisco Talos reported this week that cybercriminals have found a new way to make money from their victims, by abusing internet-sharing "proxyware" platforms such as Honeygain and Nanowire to illegally share their victim’s internet connection.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Cisco Talos researchers Edmund Brumaghin and Vitor Ventura report that malicious actors are silently installing proxyware services on a victim’s computer to hijack their bandwidth without alerting the victim.
The attackers also patch the client to stop any alerts that would warn the victim, and hide their presence by installing the legitimate platform client by using Trojanized installers, the researchers say, adding that they also install digital currency miners and information stealers.
"We believe attackers are highly likely to abuse these proxyware platforms, as they can be used to disguise an attacker's origin more efficiently than Tor, since the exit nodes cannot be cataloged," the researchers note.
Further problems for the victims can result, the researchers say, due to: "The abuse of their resources, eventually being blacklisted due to activities they don't even control, and it increases organizations' attack surface, potentially creating an initial attack vector directly on the endpoint."
Cisco Talos advises that wherever proxyware has been installed on corporate assets, the security team should be alerted. It suggests organizations should determine they are there due to successful malware infection or because of a policy violation by an employee who installed them.
Regardless of the source, the researchers say proxyware software should be considered a potentially unwanted application or potentially unwanted program and should be dealt with in the same way as cryptocurrency mining software.
"Any organization could be at risk, as there are platforms that also allow data center-based internet sharing," Cisco Talos researchers note.
Nanowire did not have a spokesperson immediately available to comment. Honeygain issued a statement saying: "Honeygain has a separate Download page on its website containing all the latest software versions available for Windows, macOS, Linux, and Android. This is a legitimate and absolutely safe source. Unfortunately, as long as some people still opt for unauthorized sources like illegal websites or discussion boards, malicious actors can spread the infected versions of the installer. Honeygain repeatedly shares the advice to only download the app from the official sources in its public communication to prevent the users from encountering any safety risks."
A malware family identified by the researchers deploys a complete set of monetization methods. The report says: “It drops a patched version of the Honeygain client, an XMRig miner and an information stealer. On top of that, it seems to be evolving to also deploy a Nanowire client."
The researchers identified multiple methods by which the threat actors are increasing the effectiveness of their malware campaigns. They described how various different malware was distributed via Trojanized legitimate proxyware installers, such as for Honeygain. These installers were then used to deliver RATs, information stealers and other malware. Legitimate installers were also delivered, as a decoy, when delivering malicious executables.
"We also observed malware that attempted to leverage victims' CPU resources for mining cryptocurrency, while at the same time also monetizing their network bandwidth using proxyware applications," the researchers note.
In one example, an attacker was distributing cryptocurrency mining malware disguised as a Honeygain installer. “The initial malware dropper was an installer bundle that was created using Smart Install Maker,” report the researchers, adding that it used a multistage infection process deploying multiple distinct components.
On execution of the installer, various components are extracted into the %TEMP% directory on the system, according to the researchers. They note that the victim only sees the legitimate Honeygain installer, which has been executed along with the less obvious malicious malware components.
The researchers report that the malware stores two malicious files - setup_x86.exe and url.vbs - in the same directory, where it also "creates a working directory at C:ProgramDataMicrosoftWindowsintelx86_driver and writes the main cryptocurrency mining dropper (iv.exe) into this directory. The dropped payload is then executed by the installer to run the payload and start the mining process."
The VBScript file is also executed by the initial installer process and is used to launch a web browser on the infected system and redirect the victim to a landing page associated with a Honeygain referral code, which the researchers suggest is tied to the malware author's account. Attackers can then generate revenue for each victim who uses the landing page to sign up for a Honeygain account.
Meanwhile, the initial installer "executes setup_x86.exe, which is used to achieve persistence and iv.exe - the cryptocurrency mining component - before terminating execution," the researchers say.