Threat actors are leveraging access to malware-infected Windows and macOS machines to deliver a proxy server application and use them as exit nodes to reroute proxy requests.
According to AT&T Alien Labs, the unnamed company that offers the proxy service operates more than 400,000 proxy exit nodes, although it’s not immediately clear how many of them were co-opted by malware installed on infected machines without user knowledge and interaction.
“Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device,” the cybersecurity company said it found evidence where “malware writers are installing the proxy silently in infected systems.”
Multiple malware families have been observed delivering the proxy to users searching for cracked software and games. The proxy software, written in the Go programming language, is capable of targeting both Windows and macOS, with the former capable of evading detection by using a valid digital signature.
In addition to receiving further instructions from a remote server, the proxy is configured to gather information about the hacked systems, including running processes, CPU and memory utilization, and battery status. What’s more, the installation of the proxy software is accompanied by the deployment of additional malware or adware elements.
“The monetization of malware propagating proxy servers through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread,” security researcher Ofer Caspi said.
The disclosure builds upon prior findings from AT&T in which macOS machines compromised by AdLoad adware are being corralled into a giant, residential proxy botnet, raising the possibility that the operators of AdLoad could be running a pay-per-Install campaign.
AdLoad is one the largest known adware strains targeting macOS. Known to impersonate popular video players and other widely-used applications, Adload hijacks browsers and forces victims to visit potentially malicious websites, enabling cybercriminals to profit off the schemes.
“The pervasive nature of AdLoad potentially infecting thousands of devices worldwide — indicates that users of MacOS devices are a lucrative target for the adversaries behind this malware and are being tricked to download and install unwanted applications,” the company said.
“The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains.”
The development comes as macOS systems have increasingly become a prized target, with the dark web witnessing a 1,000% surge in threat actors advertising information stealer strains and sophisticated tools that can circumvent macOS security functions, namely Gatekeeper and Transparency, Consent and Control (TCC) since 2019.
“In 2022 and the first half of 2023, macOS-targeting activity has intensified,” Accenture said in a report published this month.
“A combination of the increasing use of macOS in corporate environments, the high potential earnings of threat actors willing and able to target macOS and the surging demand for macOS tools and wares suggest this trend will continue.”
Romanian cybersecurity company Bitdefender, in its own macOS Threat Landscape Report, said that Mac users are predominantly targeted by three key threats in the past year: Trojans (51.8%), Potentially Unwanted Applications (25.3%), and Adware (22.6%).
“EvilQuest remains the single most common piece of malware targeting Macs at 52.7%,” it noted. “Trojans designed to exploit unpatched vulnerabilities present a real danger to users who typically postpone installing the latest security patches from Apple.”
