Signed Proxy App Slips Malware Past Virus Detection

Author Avatar


Posted on September 6, 2023

Want to interview Nick?


Over 400,000 Windows machines and an unknown number of computers running macOS are believed to be infected with a malicious proxy that leaves them vulnerable to undesired adware, backdoors, Person-in-The-Middle (PiTM) attacks, and more.

AT&T Alien Labs recently reported the discovery of over a thousand new malware samples that deliver a proxy application. The company that offers the proxy service claims it has 400,000 proxy exit nodes, which operate as a large-scale proxy botnet.

Silent Installation

The proxy software is written in the Go language and is typically delivered by way of pirated software and games. The company running the proxy service claims that all proxy nodes are from users who have been informed and agreed to have them installed.

AT&T Alien Labs begs to differ: According to them, “The application is silently installed by malware on infected machines without user knowledge and interaction.” Within the malware, they’ve identified specific embedded commands that disable popups that would otherwise ask if users wish to install the software, as well as progress bars and other messages relating to installation.

macOS versus Windows Installs Evading Detection

The Mac and Windows versions originate with the same source code. During installation, some Mac versions are detected by Apple’s security checks, while the Windows version slips past undetected. Researchers believe that the Windows version’s failure to detect it occurs because the application is signed, fooling the system into thinking it is legitimate software.

The installation script goes beyond just installing files to also establish persistence by running a registry key as well as an update scheduler. The updater runs every hour to check for the availability of updated versions.

AT&T reports that once installed,

The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context.

This information is shared as the proxy communicates with its command and control to get further instructions.

The Mac version is delivered via AdLoad malware, which was first detected in 2017, with big campaigns detected in both 2021 and 2022. Considering this new campaign in light of those previous campaigns leads AT&T analysts to consider that AdLoad might have a “pay-per-install” offer.

The ability to monetize installs through an affiliate program (for both Windows and Mac versions) serves to accelerate the pace at which this threat propagates.

Protecting Against Undetectable Malware

Traditional detection-based antivirus software fails to identify and stop this threat, at least on Windows systems. Since the application is signed, it slips right past such defenses.

The best way to stop an undetectable threat is to deny it access to the user’s device in the first place.

Zero Trust Ericom Web Security solution leverages Remote Browser Isolation (RBI) to airgap user devices from malware delivered via websites, downloads and phishing emails. When users browse a site, site code executes in a virtual browser located in an isolated container in the cloud; the user interacts with a safe representation of the website, via their usual browser. No code reaches the user’s device directly. Even if a user clicks on the wrong link, malicious code executes harmlessly in the remote container, where it can do no harm. Downloads or attachments are sanitized with Content Disarm and Reconstruction (CDR), removing any malware while leaving desired functionality intact.

Beyond protecting against this sort of “drive-by” malware, RBI safeguards against unknown software vulnerabilities that detection-based solutions are not yet capable of “recognizing” as malicious, including zero-day exploits. It also provides protections against users who fail to update their software promptly, leaving them exposed to even known software vulnerabilities.

Share this on:

Author Avatar

About Nick Kael

A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.