Cyble-Blogs-Proxyware-Platform

Fake Streaming Site Spreading Proxyware

Adversaries Abusing Proxyware Platforms

Cyble Research and Intelligence Labs discovered a fake site spreading Proxyware. Proxyware, also known as Internet-bandwidth sharing application, allows users to earn money by sharing a certain percentage of their internet bandwidth with the organizations that developed these applications. This site is disguised as an online streaming site and claims to provide free access to over 1500 channels worldwide through its desktop application. The Threat Actors are targeting windows users using this campaign. The figure below shows the fake streaming site.

Figure 1 – Fake Streaming Site

During further investigation, we found that the application hosted on this fake streaming site which silently drops and installs Proxyware malware named “CoinSurf”. However, this application does not provide any streaming service. The dropper file installs the Proxyware using Squirrel, a framework for installing and updating desktop applications.

Detection Evasion technique:

After installation, the Proxyware further executes a PowerShell command “Add-MpPreference -ExclusionPath”, to disable Windows Defender scheduled and real-time scanning for the following folders:

  • AppData\Local\CoinSurf\app-1.0.13
  • AppData\Roaming\CoinSurf

The image below shows the process tree of the infection.

Figure 2 – Process Tree

Persistence:

The Proxyware now creates persistence by adding its path in the following registry key to automatically start itself whenever the user logs in:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Figure 3 – Persistence

Network Communication:

Our investigation indicates that the Proxyware installed on the victim’s machine is not an original CoinSurf application. Nonetheless, it connects to original CoinSurf site for its authentication, indicating that this proxyware binary is customized by the TA. This authentication request is performed using TA’s login credentials, which will enable all the infected devices to be linked under the same TAs profile. This technique allows TA to share huge internet bandwidth from multiple devices and easily earn a mint. The below image shows the Proxyware authentication using POST request.

Figure 4 – Authenticate Using POST Requests

After authentication, This Proxyware receives the configuration from the server as shown in the figure below. The configuration contains the details of client settings to perform Proxyware operation.

Figure 5 – Configuration file

The figure below shows the TA’s CoinSurf profile, which was created recently, indicating that the campaign is at the initial stage.

Figure 6 – TA’s CoinSurf Profile

The figure below shows the network activity done by the Proxyware.

Figure 7 – Network Activity

Conclusion

Adversaries are actively abusing Proxyware for monetary gains. We have also witnessed in this campaign how TAs are trying to infect many users using fake sites. There have been certain incidents found in the past where TAs infected victim’s with Proxyware as well as with CoinMiners. The Usage of Proxyware on corporate networks might result in a bad IP reputation.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:       

How to prevent malware infection?   

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.   
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.    
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.   
  • Identify the applications with auto execute permission, by going through System settings > Startup Apps
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.   
  • Monitor the beacon on the network level to block unnecessary internet connections.   

MITRE ATT&CK® Techniques  

Tactic   Technique ID   Technique Name   
Initial AccessT1189Drive-by Compromise
Execution    T1204   User Execution   
Persistence T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Discovery   T1012
T1082
Query Registry
System Information Discovery

Indicators of Compromise (IOCs)

Indicators  Indicator type   Description   
ec95825c3940a10ea74a833cbf7e1667
383e0d797a2eed678b60eebff3fdbcd99b55fa61
29c7ddeefe862a053b9eac65af95fcfbe736e5e46e73276ac399f1903af3ed3e
MD5  
SHA1
SHA256   
Dropper 
3094c87436d64d172b159178f1a60707
caac51c7fd57b5ebcaded2cc3765660f82d83dfe
37696d1d18500725531bdda8ea72949736ebf24d349ff7bceee6799ed7bf19fd
MD5
SHA1   
SHA256   
Dropper 
streamtvbox[.]netDomainFake Site
http[:]//streamtvbox[.]net/StreamTVBox[.]exeURIMalicious URI
Scroll to Top