Proxyware platforms are increasingly targeted in cybercrime operations aimed at distributing malware or at monetizing the internet bandwidth of victims, according to Cisco’s Talos research and intelligence unit.
With the help of proxyware platforms, users can share their unused Internet bandwidth. For that, they download and install a client application that joins their system to a network operated by the platform provider, which sells access to the network to other users who want to circumvent certain restrictions.
While users typically join proxyware networks for monetary gain, the use of such platforms comes with multiple security risks, including the possible interception of unencrypted traffic, or service degradation due to being banned on certain online services.
Despite such issues, the popularity of these platforms has increased rapidly over the past several years, with hundreds of thousands of users already joining them.
Legitimate users, however, aren’t the only ones to show increasing interest in proxyware platforms. Talos security researchers say they have seen numerous malware campaigns specifically targeting the users of these services.
The researchers observed several malware campaigns in which trojanized installers for proxyware applications are used to distribute RATs, information stealers, and other types of malware. In other campaigns, threat actors distribute proxyware applications to abuse the victims’ network bandwidth for generating revenue, or to distribute cryptominers while also monetizing the network bandwidth.
Typically, the malicious installers drop the legitimate application to avoid raising suspicion. In the background, however, they also install malware. In some cases, the cybercriminals distribute malware that installs proxyware and attempts to register devices using the attacker’s account.
In some instances, Talos’ researchers saw attempts to use multiple methods for monetizing successful infections, such as a multi-stage malware campaign delivering an information stealer, malware to mine for cryptocurrency, and a proxyware application to generate revenue.
“This is a textbook example of the varied approaches available to adversaries. Attackers are no longer content with simply deploying cryptocurrency mining to make money — they are now also stealing sensitive data and monetizing network bandwidth, all at the same time,” the researchers say.
Overall, Talos notes, proxyware should be considered potentially unwanted applications (PUA) given the various security risks they introduce, especially when it comes to enterprise environments.
“These relatively new platforms were built with a legitimate purpose, but attackers quickly found ways to abuse them. […]Due to the various risks associated with these platforms, it is recommended that organizations consider prohibiting the use of these applications on corporate assets,” Talos concludes.