Attackers Profiting from Proxyware

Proxyware is a program that shares a part of the Internet bandwidth that is currently available on a system to others. Users who install the program are usually paid with a certain amount of cash in exchange for providing the bandwidth. Companies that provide such a service include Peer2Profit and IPRoyal. They gain profit by providing the bandwidth to other companies and claim on their webpages that they have various business partners using the service for distributing software, investigating markets, verifying advertisements, testing software, and so on.

While users can earn some money from installing proxyware on their systems, they should know they are taking risks by allowing external users to perform certain behaviors by using their networks. For instance, users cannot know in detail the companies that the proxyware platforms claim to use their services. Even if they can verify their customers on their own, it is impossible to check if your bandwidth will be maliciously exploited in the future or not.

The ASEC analysis team recently discovered malware strains installing proxyware without the user’s permission. Users whose systems are infected with the malware have their network bandwidth stolen by attackers to gain profit. The method of earning profit by using the infected system’s resources is similar to that of CoinMiner. This type of malware has been continuously around for a while. Cisco Talos once made an analysis on proxyware in 2021.^[1]

1. Case using Adware

The post will first discuss malware distributed through adware. AhnLab’s ASD log shows that the proxyware is installed through adware such as Neoreklami.

It is a dropper-type malware that installs proxyware of Peer2Profit and IPROYAL on the system as a user account without the user’s permission.

…. 1.1. PEER2PROFIT

As for Peer2Profit, the malware creates Peer2Profit SDK DLL saved in the data section in the same path. According to the manual shown below, Peer2Profit SDK can use the p2p_is_active() function to check if a proxy client is running or not. It can also start a proxy with the p2p_start() function.

The malware follows the instruction shown in the manual: it loads the created SDK DLL and gives the attacker’s email address as an argument to execute the p2p_start() function. The malware can operate in the infected system without the user realizing it to steal the Internet bandwidth as a result. The attacker can gain profit through the designated email address (the attacker’s account).

…. 1.2. IPROYAL PAWNS

The dropper malware also installs IPRoyal’s Pawns as well. The dropper initially used the CLI exe form of Pawns. IPRoyal programs are usually in GUI forms. Yet as it supports the CLI form as well, it can be executed with command lines and installed without users recognizing the process.

The file forcibly terminates Pawns in CLI form if it is currently running. It then creates Pawns in the same path, similar to Peer2Profit SDK. It gives the attacker’s email address and password as arguments to run Pawns, gaining profit from the infected system.

Recent cases use Pawns in DLL form instead. The dropper creates pawns.dll in the same path and loads it. It then calls two functions Initialize() and startMainRoutine().

Unlike Pawns in CLI form that received the attacker’s email address and password directly through command line arguments, Pawns in DLL form receives encoded data as an argument. The string is Base64-encoded. Decoding it will show the following json settings data.

The data is presumably used for verification. In fact, the GUI form IPRoyal uses a similar method. When logging in to IPRoyal, the GUI client loads libpawns.dll file (libpawns32.dll in the x86 environment) located in %PROGRAMFILES%\IPRoyal Pawns\resources\packages\main\resources\libpawns inside the installation path and gives the settings data encoded in the same method as an argument to call the startMainRoutine() function.

2. Cases of attacks targeting vulnerable MS-SQL servers

Peer2Profit is used by other attackers as well. The Figure 10 shows a log of Peer2Profit SDK being installed on a vulnerable MS-SQL server. The system also has infection logs of various malware strains distributed through the dictionary attack such as CoinMiner and backdoor. It is likely that the malware installing proxyware was distributed through the dictionary attack as the system had vulnerable account credentials.

The “sdk.mdf” file is packed with UPX. It has been installed on multiple vulnerable MS-SQL servers starting from early June in 2022. Due to the nature of Peer2Profit, the file is a DLL and sends the attacker’s email address as an argument for the export function: the file alone cannot reveal additional information such as the attacker’s email address.

The proxyware dropper malware that is recently being discovered is similar to CoinMiner in that it gains profit by exploiting the infected system’s resources. The malware strains are distributed through adware or installed on vulnerable MS-SQL servers. Users should refrain from installing programs from unknown sources. If their systems are installed with database servers, they should manage access control policies and account credentials settings appropriately. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
– Dropper/Win.Proxyware.C5173477 (2022.07.18.03)
– Dropper/Win.Proxyware.C5173478 (2022.07.18.02)
– Dropper/Win.Proxyware.C5210584 (2022.07.18.02)
– Unwanted/Win.Peer2Profit.R505332 (2022.07.18.02)
– Unwanted/Win.Pawns.C5211846 (2022.07.21.01)
– Unwanted/Win.Pawns.C5211847 (2022.07.21.01)

[IOC]
MD5
Dropper
– 05ed95d997662ee0ba15f76949955bf0
– dd709b8529802d6489311a27372044aa
– 29cbc8a8cdb0e24f3561fac8ac0c0174

Peer2Profit SDK
– b1781c2670a2e0a35a10fb312586beec
– e34d9ec5d43501dc77ee93a4b464d51b

IPRoyal Pawns
– 7f8c85351394fd8221fc84d65b0d8c3e
– 3e4bb392494551a89e090fbe1237f057

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.