Researchers have recently revealed the existence of a vast and alarming Node Proxy Botnet. This network encompasses over 400,000 Windows systems, all infected with devious malware. The hidden operations of this botnet, along with its impacts and means of protection, are discussed below.
Stealthy Creation of Residential Proxies
The uncovered campaign is responsible for delivering proxy server applications to 400,000 Windows systems. These devices serve as residential exit nodes without the knowledge or approval of the users. A certain company profits by charging for the proxy traffic flowing through these systems.
These residential proxies hold value for cyber criminals. They provide new IP addresses that aid in large-scale credential stuffing attacks. But they also have legal uses like verifying ads, scraping data, testing websites, or improving privacy by rerouting.
Some firms trade access to residential proxies. They even pay users willing to share their bandwidth.
Details of the 400,000 Node Proxy Botent Networ
Today, AT&T Alien Labs published a report. It explains how the huge proxy network was created by deploying malicious payloads that delivered the proxy app.
The company running the botnet claims users gave consent. But researchers found that the proxy was silently installed.
Also, the researchers notes that the proxy application has no anti-virus detection. It thus escapes security companies’ notice.
This same company manages exit nodes made by a nasty payload known as AdLoad. It targeted macOS systems, as reported by AT&T last week.
Interestingly, both the macOS and Windows binaries stem from the same source code. But the Windows proxy client avoids detection through a valid digital signature.
The Infection Process of Proxyware
The infection begins with the execution of a hidden loader in cracked software or games. It automatically downloads and installs the proxy app without the user’s knowledge.
The malware creators employ Inno Setup with special parameters. These hide any sign of the installation process and all typical user alerts.
When the proxy client gets installtion, the malware conveys specific parameters. These are send to the command and control server. This action registers the new client and adds it to the botnet.
The proxy client then maintains persistence on the infected system. It creates a registry key to activate on system boot and a scheduled task to look for updates.
According to the AT&T report, the proxy continually collects vital information from the machine. It monitors everything from the process list to CPU, memory use, and even battery status.
How to Stay Protected Against Node Proxy Botnet
AT&T advises checking for an executable named “Digital Pulse” at “%AppData%” or a similarly named Registry key. One should remove these.
The scheduled task named “DigitalPulseUpdateTask” must also be deleted to prevent re-infection.
Lastly, one should steer clear of downloading pirated software. Avoid running executables from dubious sources like peer-to-peer networks or sites offering premium software for free.
Signs of proxyware infection may include reduced performance and internet speed, unexpected network traffic patterns, constant communication with unknown IPs or domains, and system warnings.