Threat actors are taking advantage of access to malware-infected Windows and macOS machines to distribute proxy server applications and use them as exit nodes to reroute proxy requests.
According to AT&T Alien Labs, the unnamed company that offers the proxy service operates more than 400,000 proxy exit nodes, although it’s not immediately clear how many of them were co-opted by malware installed on infected machines without user knowledge and interaction.
“Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device,” the cybersecurity company said it found evidence where “malware writers are installing the proxy silently in infected systems.”
Several malware families have been observed distributing proxies to users searching for cracked software and games. The proxy software, written in the Go programming language, is capable of targeting both Windows and macOS, with the former being able to avoid detection by using a valid digital signature.
In addition to receiving further instructions from remote servers, the proxy is configured to gather information about the hacked system, including running processes, CPU and memory usage, and battery status. Furthermore, with the installation of proxy software comes the deployment of additional malware or adware elements.
“Monetizing malware that proliferates proxy servers through an affiliate program is problematic, because it creates a formal structure to increase the speed at which this threat will spread,” said security researcher Ofer Caspi.
The disclosure builds on AT&T’s earlier findings that macOS machines compromised by AdLoad adware were being included in a vast, residential proxy botnet, raising the possibility that operators of AdLoad could run pay-per-install campaigns.
AdLoad is one of the largest known adware strains targeting MacOs. Known to impersonate popular video players and other widely used applications, Adload hijacks browsers and forces victims to visit potentially malicious websites, allowing cyber criminals to profit from the schemes.
“The pervasive nature of AdLoad potentially infecting thousands of devices worldwide — indicates that users of MacOS devices are a lucrative target for the adversaries behind this malware and are being tricked to download and install unwanted applications,” the company said.
“The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains.”
The development comes as macOS systems have increasingly become a prized target, with the dark web witnessing a 1,000% surge in threat actors advertising information stealer strains and sophisticated tools that can circumvent macOS security functions, namely Gatekeeper and Transparency, Consent and Control (TCC) since 2019.
“In 2022 and the first half of 2023, macOS-targeting activity is set to intensify,” Accenture said in a report published this month.
“The combination of the growing use of macOS in corporate environments, the high potential earnings of threat actors willing and able to target macOS, and the growing demand for macOS tools and accessories suggest that this trend will continue.”
Romanian cyber security company Bitdefender said in its own macOS Threat Landscape report that in the past year Mac users have been mainly targeted by three major threats: Trojans (51.8%), potentially unwanted applications (25.3%), and adware (22.6%).
It added, “EvilQuest remains the most common piece of malware targeting Macs at 52.7%.” “Trojans designed to exploit unpublished vulnerabilities pose a real threat to users who typically postpone installing the latest security patches from Apple.”