Threat actors are generating revenue by using adware bundles, malware, or even hacking into Microsoft SQL servers, to convert devices into proxies that are rented through online proxy services.
To steal a device's bandwidth, the threat actors install software called 'proxyware' that allocates a device's available internet bandwidth as a proxy server that remote users can use for various tasks, like testing, intelligence collection, content distribution, or market research.
Botters also love these proxy services as they gain access to residential IP addresses that have not been blacklisted from online retailers.
In return for sharing their bandwidth, the device's owner gets a revenue share of the fees charged to customers. For example, the Peer2Profit service shows users making as much as $6,000 per month by installing the company's software on thousands of devices.
According to a new report published today by researchers at South Korean company Ahnlab, new malware campaigns have emerged that install proxyware to earn money from sharing their victim's network bandwidth.
The attackers receive compensation for the bandwidth by setting their email address for the user, while the victims might only notice some connectivity slowdowns and hiccups.
Sneaking proxy clients on devices
Ahnlab observed the installation of proxyware software for services, such as Peer2Profit and IPRoyal, via adware bundles and other malware strains.
The malware checks if the proxy client is running on the host, and it can use the “p2p_start()” function to launch it if it’s deactivated.
In the case of IPRoyal’s Pawns, the malware prefers to install the CLI version of the client instead of the GUI one, as the goal is to have the process run stealthily in the background.
In more recent observations, attackers used Pawns in DLL form and provided their emails and passwords in encoded string form, launching it with the functions "Initialize()" and "startMainRoutine()".
Once the proxyware is installed on a device, the software adds it as an available proxy that remote users can use for whatever task they want on the Internet.
Unfortunately, this also means that other threat actors can use these proxies for illegal activities without the victim being aware.
Infecting MS-SQL servers too
According to Ahnlab's report, malware operators using this scheme to generate revenue also target vulnerable MS-SQL servers to installPeer2Profit clients.
This has been going on since early June 2022, with most logs retrieved from infected systems revealing the existence of a UPX-packed database file named “sdk.mdf".
Among the more common threats for Microsoft SQL servers are cryptocurrency coin miners that perform cryptojacking. There are also plenty of instances where the threat actor uses the server as a pivoting point into the network via Cobalt Strike beacons.
The reason behind using proxyware clients is likely an increased chance of remaining undetected for extended periods, which translates into more significant profits. It is unclear how much money actors generate via this method, though.
Furthermore, Microsoft SQL servers are usually located in corporate networks or data centers with abundant Internet bandwidth that proxy services can sell for illegal purposes.