Kaspersky recently uncovered the most recent Trojan Proxy malware campaign, revealing that the earliest submission of the payload on VirusTotal can be traced back to April 28, 2023.
According to the latest research from cybersecurity researchers at Kaspersky, threat actors are deploying a novel Trojan Proxy malware in cracked applications, distributed via unauthorized websites.
Further probing revealed that the malware is disguised within popular copyrighted macOS software available on warez sites.
For your information, Warez sites are websites that offer copyrighted digital content, such as software, movies, music, ebooks, and games, for free or at a significantly lower price than the original product.
The malware allows attackers to build a proxy server network to commit crimes or make profits.
When installed, this malware converts computers into anonymous traffic-forwarding terminals, allowing malware operators to perform malicious activities, such as phishing, hacking, or conducting illegal transactions.
Infected applications appear as legitimate cracked software, distributed as.
A post-installation script replaces two system files with malicious versions from the app resources and grants them administration permissions.
A fake Google configuration file automatically starts the WindowServer malware file as a system process.
This binary file was uploaded on VirusTotal on April 28 but wasn't recognized as malware then.
The malware utilizes DNS-over-HTTPS to get the C2 server IP address and connects via WebSockets, receiving commands for the various malicious activities the Trojan can perform and sending information.
During their research, investigators didn't receive a server response beyond the 0x38 command and noted that the client supported TCP and UDP connections.
Earlier versions relied on traditional DNS requests instead of DoH for C&C server acquisition.
It is worth noting that selling access to these proxies is a highly profitable business, encompassing massive botnets.
Kaspersky researchers noted that Mac devices aren't immune to this deep-rooted threat, which is why this campaign works.
Attackers are exploiting the popularity of cracked versions of copyrighted software, specifically commercial software/programs, as users prefer to avoid paying for premium software.
Around 35 instances of popular image editing, data recovery, video compression and editing, and network scanning tools-related apps laced with Trojan Proxy were identified by Kaspersky.
Beyond macOS, researchers have identified Android and Windows versions connecting to the same C&C server.
This means a larger distribution network for cracked software laced with Trojan Proxy malware could be at work.
Menlo Security's chief security architect, Lionel Litty, shared with Hackread.com that using DoH and WebSocket indicates that threat actors are focusing more on evading network-based detection mechanisms.
This Cyber News was published on www.hackread.com. Publication date: Fri, 08 Dec 2023 13:43:04 +0000