Attackers Profiting from Proxyware

Proxyware is a program that shares a part of the Internet bandwidth that is currently available on a system to others. Users who install the program are usually paid with a certain amount of cash in exchange for providing the bandwidth. Companies that provide such a service include Peer2Profit and IPRoyal. They gain profit by providing the bandwidth to other companies and claim on their webpages that they have various business partners using the service for distributing software, investigating markets, verifying advertisements, testing software, and so on.

While users can earn some money from installing proxyware on their systems, they should know they are taking risks by allowing external users to perform certain behaviors by using their networks. For instance, users cannot know in detail the companies that the proxyware platforms claim to use their services. Even if they can verify their customers on their own, it is impossible to check if your bandwidth will be maliciously exploited in the future or not.

Figure 1. IPROYAL claiming how your network is used

The ASEC analysis team recently discovered malware strains installing proxyware without the user’s permission. Users whose systems are infected with the malware have their network bandwidth stolen by attackers to gain profit. The method of earning profit by using the infected system’s resources is similar to that of CoinMiner. This type of malware has been continuously around for a while. Cisco Talos once made an analysis on proxyware in 2021.[1]


1. Case using Adware

The post will first discuss malware distributed through adware. AhnLab’s ASD log shows that the proxyware is installed through adware such as Neoreklami.

Figure 2. Proxyware installed through Neoreklami

It is a dropper-type malware that installs proxyware of Peer2Profit and IPROYAL on the system as a user account without the user’s permission.


…. 1.1. PEER2PROFIT

As for Peer2Profit, the malware creates Peer2Profit SDK DLL saved in the data section in the same path. According to the manual shown below, Peer2Profit SDK can use the p2p_is_active() function to check if a proxy client is running or not. It can also start a proxy with the p2p_start() function.

Figure 3. Peer2Profit SDK manual

The malware follows the instruction shown in the manual: it loads the created SDK DLL and gives the attacker’s email address as an argument to execute the p2p_start() function. The malware can operate in the infected system without the user realizing it to steal the Internet bandwidth as a result. The attacker can gain profit through the designated email address (the attacker’s account).

Figure 4. Creating and running Peer2Profit SDK


…. 1.2. IPROYAL PAWNS

The dropper malware also installs IPRoyal’s Pawns as well. The dropper initially used the CLI exe form of Pawns. IPRoyal programs are usually in GUI forms. Yet as it supports the CLI form as well, it can be executed with command lines and installed without users recognizing the process.

Figure 5. IPRoyal Pawns CLI programs

The file forcibly terminates Pawns in CLI form if it is currently running. It then creates Pawns in the same path, similar to Peer2Profit SDK. It gives the attacker’s email address and password as arguments to run Pawns, gaining profit from the infected system.

Figure 6. Installation routine for IPRoyal Pawns

Recent cases use Pawns in DLL form instead. The dropper creates pawns.dll in the same path and loads it. It then calls two functions Initialize() and startMainRoutine().

Figure 7. Execution routine for DLL form of Pawns

Unlike Pawns in CLI form that received the attacker’s email address and password directly through command line arguments, Pawns in DLL form receives encoded data as an argument. The string is Base64-encoded. Decoding it will show the following json settings data.

Figure 8. Base64-decoded argument data

The data is presumably used for verification. In fact, the GUI form IPRoyal uses a similar method. When logging in to IPRoyal, the GUI client loads libpawns.dll file (libpawns32.dll in the x86 environment) located in %PROGRAMFILES%\IPRoyal Pawns\resources\packages\main\resources\libpawns inside the installation path and gives the settings data encoded in the same method as an argument to call the startMainRoutine() function.

Figure 9. GUI form of IPRoyal client


2. Cases of attacks targeting vulnerable MS-SQL servers

Peer2Profit is used by other attackers as well. The Figure 10 shows a log of Peer2Profit SDK being installed on a vulnerable MS-SQL server. The system also has infection logs of various malware strains distributed through the dictionary attack such as CoinMiner and backdoor. It is likely that the malware installing proxyware was distributed through the dictionary attack as the system had vulnerable account credentials.

Figure 10. Peer2Profit SDK installed through a vulnerable MS-SQL process

The “sdk.mdf” file is packed with UPX. It has been installed on multiple vulnerable MS-SQL servers starting from early June in 2022. Due to the nature of Peer2Profit, the file is a DLL and sends the attacker’s email address as an argument for the export function: the file alone cannot reveal additional information such as the attacker’s email address.

The proxyware dropper malware that is recently being discovered is similar to CoinMiner in that it gains profit by exploiting the infected system’s resources. The malware strains are distributed through adware or installed on vulnerable MS-SQL servers. Users should refrain from installing programs from unknown sources. If their systems are installed with database servers, they should manage access control policies and account credentials settings appropriately. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
– Dropper/Win.Proxyware.C5173477 (2022.07.18.03)
– Dropper/Win.Proxyware.C5173478 (2022.07.18.02)
– Dropper/Win.Proxyware.C5210584 (2022.07.18.02)
– Unwanted/Win.Peer2Profit.R505332 (2022.07.18.02)
– Unwanted/Win.Pawns.C5211846 (2022.07.21.01)
– Unwanted/Win.Pawns.C5211847 (2022.07.21.01)

[IOC]
MD5
Dropper

– 05ed95d997662ee0ba15f76949955bf0
– dd709b8529802d6489311a27372044aa
– 29cbc8a8cdb0e24f3561fac8ac0c0174

Peer2Profit SDK
– b1781c2670a2e0a35a10fb312586beec
– e34d9ec5d43501dc77ee93a4b464d51b

IPRoyal Pawns
– 7f8c85351394fd8221fc84d65b0d8c3e
– 3e4bb392494551a89e090fbe1237f057

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest
87 Comments
Inline Feedbacks
View all comments
trackback

[…] its report (opens in new tab), Ahnlab mentioned two separate proxyware variants, Peer2Profit, and IPRoyal. […]

trackback

[…] its report (opens in new tab), Ahnlab mentioned two separate proxyware variants, Peer2Profit, and IPRoyal. […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] Attackers profiting from proxyware […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] its report (opens in new tab), Ahnlab mentioned two separate proxyware variants, Peer2Profit, and IPRoyal. […]

trackback

[…] 黑客正在悄悄安裝 受害者計算機上的帶寬竊取惡意軟件。 根據 韓國公司 ASEC 的研究人員,這種類型的惡意軟件,稱為代理軟件,允許黑客不將帶寬轉售給其他人,但也可以訪問受害者的電子郵件帳戶。 另一種病毒可以安裝在易受攻擊的 Microsoft SQL 服務器上,用於竊取公司數據。 IT 部門應該想辦法驗證他們所有的帶寬都被合法地使用了。 想要通過在其係統上安裝代理軟件來賺錢的個人應該知道他們冒著被騙子濫用的風險。 […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] are quietly installing bandwidth-stealing malware on victims’ computers. According to researchers at the South Korean firm ASEC, this type of malware, called proxyware, allows the hacker to not re-sell the bandwidth to other […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] Korean company Ahnlab talks about a malicious campaign in which hackers steal someone else’s bandwidth by installing proxyware on hacked machines […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] his report (opens in a new tab), Ahnlab mentioned two separate variants of proxy software, Peer2Profit and […]

trackback

[…] “Gli utenti dovrebbero astenersi dall’installare programmi da fonti sconosciute. Se i loro sistemi sono installati con server database, dovrebbero gestire i criteri di controllo dell’accesso e le impostazioni delle credenziali dell’account in modo appropriato. Inoltre, V3 dovrebbe essere aggiornato all’ultima versione in modo da prevenire l’infezione da malware.”, consigliano i ricercatori di sicurezza di Ahnlab. […]

trackback

[…] the cybersecurity researchers at Ahnlab have claimed that the compromised devices are converted into proxies, which are then rented by the proxy […]

trackback

[…] Ahnlab, a well-known South Korean company, has revealed a malicious campaign that some attackers were using similar proxies that they obtained with the help of ProxyWare software on the hacked device and Steal the bandwidth of another machine. According to analysts, hackers earn more than normal users by using these types of services. According to the researchers, these hackers infect proxyware software on the compromised machines to earn more and more profit, just because of this the users of the infected device have to face many problems. […]