Hackers found a lucrative tactic by utilising malware, adware bundles, and hacking into MS SQL servers to convert devices into proxies borrowed through online proxy services. The threat actors install software called proxyware that allocates a targeted device’s internet bandwidth as a proxy server to steal its bandwidth.
After stealing the bandwidth, a remote user can use the device for several tasks such as content distribution, market research, and intelligence collection. These operators also took a liking to these proxy services as they obtain access to residential IP addresses that have not been banned from online retailers.
However, the device’s owner will get a cut of the revenue of the fees charged to customers after sharing their bandwidth. Based on the reports of a South Korean researcher, new malware campaigns have popped up and installed proxyware to earn profit from sharing their victim’s network bandwidth.
The adversaries, in return, receive compensation for the shared bandwidth by preparing their email addresses for the user. Unfortunately, the victim will only notice a slight connectivity issue.
The SQL server attack will increase soon if the hackers find it profitable.
SQL servers attack is just a start for these hackers since researchers observed the installation of proxyware software for several services like IPRoyal and Peer2Profit. These services include adware bundles and malware strains.
Subsequently, the malware will review if the proxy client is operating on the host, and it can utilise the p2p_start() action to deploy it if it is deactivated. In the activity of IPRoyal’s Pawns, the malware would prefer to install the CLI version of the target instead of the GUI since the objective of the attack is to make the process operate elusively at the back.
More observation from the researchers revealed that the threat actors utilised Pawns in DLL form and gave their emails and passwords in an encoded form, deploying it with the functions startMainRoutine() and Initialise ().
Once the proxyware is launched on a device, the software will include it as an available proxy that remote users can exploit for any task they want to accomplish on the internet. Therefore, other malicious threat actors can utilise these proxies for illegal activities without the victim’s consent.
