top of page

400,000+ Malware-Infected Machines Used as Proxy Exit Nodes by Threat Actors

As the world becomes more interconnected, the digital landscape evolves with it, becoming the playground of ever-evolving hazards — the newest being cybercriminals using infected Windows and macOS systems as a means of delivering proxy server applications. The malicious players are using these compromised systems as exit nodes, in order to reroute proxy requests, effectively hijacking these machines for their malevolent purposes.

AT&T Alien Labs raised an alert flag, pointing out an unnamed company propagating such a proxifying service. Outfitted with over 400,000 proxy exit nodes, this entity claims that its users knowingly volunteered their devices to be used as exit nodes. However, the reality appears to be quite the contrary.

Evidence accumulated by cybersecurity researchers sheds light on a disturbing fact: rogue players in the field of malware seem to be silently installing this proxy on infected systems. Disturbingly, multiple malicious software families have been seen delivering the proxy, targeting unsuspecting individuals on the hunt for pirated software and games.

What makes this situation even more concerning is that this proxy software is written in the Go programming language, enabling it to target both Window and macOS systems. Windows systems are particularly susceptible, as the software is capable of evading detection using valid digital signatures.

This cunningly malicious software not only follows instructions from a remote server, but also meticulously gleans information about the compromised systems. Data related to running processes, CPU and memory utilization, and battery status is collected without the knowledge or consent of the original user.

The monstrosity doesn't end there. The silent installation of the proxy software engages a secondary payload — the deployment of additional malicious elements such as adware or malware. Notably, profit seems to be a driving factor — this proxy-distributing malware monetization operates through an affiliate program, rapidly pushing the spread of this threat.

AT&T's previous findings on this topic merit mention. It seems infected macOS machines compromised by AdLoad adware are being herded into creating a colossal residential proxy botnet. The unsettling possibility has been raised that the AdLoad operators could be capitalizing on a pay-per-Install campaign.

AdLoad poses an undeniable threat. It is one of the most extensive known adware strains, targeting macOS systems. Disguised as popular video players or other applications, AdLoad hijacks browsers to redirect users to potentially malicious websites, thereby churning up profits for the perpetrators.

This new threat signifies a worrying trend — covert installation of malware-delivered proxy applications is becoming an investment prospect. Not limited to financial loss, this could also infrastructure a company's privacy and integrity.

A growing trend noted is the targeting of macOS systems. In fact, there has been a staggering surge of 1,000% in the dark web's advertisements for information-stealer strains and advanced tools designed to bypass macOS security functions such as Gatekeeper and Transparency, Consent and Control (TCC) since 2019.

Bear in mind, the macOS environment is not the sole target. Windows systems still face threats as evidenced by the infections spreading via pirated software and games. The take away from this, Windows and MacOS, both require stringent cybersecurity measures to defend against evolving malicious players and their tactics.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page