Cybercriminals have been increasingly targeting internet connections to generate illicit revenue. According to researchers, a method involving the abuse of proxyware has been gaining traction in the cybercrime landscape.
These platforms allow users to share a small percentage of internet bandwidth in exchange for nominal charges.
Attackers were also observed installing digital currency miners and info-stealers to earn additional revenue.
Researchers have spotted a malware family dropping a patched version of the Honeygain client, info-stealer, and XMRig miner. Later, it was found to be delivering Nanowire clients.
Ideally, platforms such as Honeygain have limitations on the number of devices for a single account. However, attackers can always register numerous accounts to increase their operational capabilities.
How does it work?
The business model of commercializing extra bandwidth is very lucrative to users, and at the same time, it is getting traction among attackers as well.
In a typical attack campaign, the attacker quietly installs a malicious code bundled with a genuine proxyware client software on the victim’s devices.
The malware family then attempts to install the proxyware on the victim's PC.
In the next stage, it registers the software under an account created by attackers to provide a referral bonus to the attackers.
Upon activation, the proxyware client starts selling the victim's bandwidth without their awareness.
In some cases, hackers even patch the client to block any warning that could alert the victim.
The concept of proxyware services may be the beginning of a new category of threats, similar to cryptojacking. The threat allows attackers to harness the additional unused capacity without leaving any clues for the victims. In addition to that, attackers can easily prey on genuine users who are willing to use proxyware services to share their resources, without raising any concerns about performance issues.