)
Researchers recently observed a proxy botnet that has infected an estimated 10,000 devices throughout the world. Threat actors use the botnet to transform victim devices into tools for forwarding malicious traffic. Cybersixgill detected significant activity related to two related malware loaders, which are used to deploy the botnet.
THE HEADLINE
Security researchers recently discovered a proxy[1] botnet that threat actors use to spread malware, launch distributed-denial-of-service[2] (DDoS) attacks, and carry out other malicious activities. Ultimately, botnets such as this one transform infected devices into proxies for malicious traffic, creating networks of compromised devices (e.g, laptops, routers, mobile devices, etc.), which threat actors direct via central command-and-control[3] (C2) servers.
The proxy botnet initially emerged as early as 2016, but has maintained a low profile in the intervening years. The botnet is licensed on a daily, monthly, and quarterly basis, with two subscription tiers (standard and VIP) and cryptocurrency payments accepted on the anonymous Cryptomus gateway. Prices range from $1 (a single thread for one day) to $4,000 (5,000 threads for three months). VIP subscriptions offer multiple proxy types (SOCKS4, SOCKS5, or HTTP). Threat actors provide the botnet with IP addresses from which proxy traffic will originate, which are added to the bot's whitelist.
Researchers identified an expansive botnet control infrastructure of over 50 servers, located primarily in France, Holland, Sweden, and Bulgaria, with infected devices detected in the U.S, South Africa, Nigeria, Brazil, and Colombia. In total, the botnet has reportedly infected over 10,000 devices throughout the world.
In the initial stages of attacks, the botnet was observed using two popular malware loaders, which are spread through phishing campaigns and malvertising[4], among other methods. In the past, one of the loaders was linked to a dual Russian and Canadian national whom the U.S. Department of Justice charged with deploying ransomware in attacks against critical infrastructure and large industrial conglomerates. His victims allegedly included a German auto parts manufacturer and a U.S.-based semiconductor manufacturer.
DIVING DEEPER
Cybersixgill observed significant activity on the dark web related to the malware loaders used by the botnet. This includes the post below (Figure 1) on a popular encrypted instant messaging platform, which was posted on a channel that caters to individuals seeking stealer[5] malware and other crimeware. The Russian-language channel had around 4,400 subscribers when the post below appeared.
In this discussion, channel subscribers discussed strategies for social engineering campaigns, with the ultimate goal of installing remote access trojans[6] (RATs) and stealers. One user suggested using loaders, specifically recommending one of the botnet-linked loaders. The user directed the inquiring subscriber to two popular Russian-language cybercrime forums where the loaders can be purchased. This exchange reflects the demand for effective malware loaders, which threat actors use to initiate attack chains that involve social engineering RAT deployment.
Figure 1: A discussion about a malware loader related to the botnet
In addition, Cybersixgill also detected a discussion on a popular Russian cybercrime forum in which threat actors assessed various strains of malware, including one of the aforementioned loaders and a stealer malware. A forum member discussed their use of the malware loader while testing the private crypter[7] that the discussion focused on. The discussion was largely devoted to evading security tools and antivirus products and the malware loader was mentioned as part of a threat actor’s toolkit to launch the initial stages of the attack chain.
Figure 2: A malware loader discussed on a popular Russian cybercrime forum
TAKEAWAYS
Malware loaders continue to circulate on the underground, offering advanced capabilities that make them potent tools in the hands of threat actors. Similarly, proxy botnets are helping threat actors generate profits, while significantly undermining internet security and contributing to bandwidth hijacking.
In light of the constant emergence of new tools, organizations must protect against cyber threats by implementing multi-factor-authentication (MFA) on all login portals, maintaining up-to-date security software and avoiding downloads from untrustworthy websites. When file execution from questionable sources may is hard to avoid, running programs in a secure environment, such as a sandbox or virtual machine, is essential to protect against malicious software designed to steal sensitive data.
[1] Attackers use proxy botnets to facilitate various stages of attack chains, from DDoS attacks to malware deployment.
[2] A distributed-denial-of-service (DDoS) attack disrupts the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of fake internet traffic.
[3] Threat actors use command-and-control (C2) servers to send commands to compromised systems and receive stolen data from target networks.
[4] Malvertising delivers malware and viruses when victims click on malicious advertisements that appear to be legitimate ads.
[5] As its name implies, stealer malware steals sensitive information from infected computers, including login credentials, financial information, session cookies, and information from other programs and websites used by victims. Stealers can be dropped either via phishing emails, malicious and or/compromised websites, cracked software, or as part of supply chain attacks.
[6] Threat actors use remote access trojans (RATs) to gain remote Command & Control on a victim’s computer.
[7] A crypter is software that encrypts, obfuscates, and manipulates malware to evade detection by security programs. Cybercriminals use crypters to create malware that appears harmless so that it can bypass security.
)
)
)
)