In a novel unseen trend, cybersecurity researchers have flagged a new malware family that’s siphoning off the bandwidth of their victims, in pretty much the same fashion as cryptomining malware attempt to monetize the CPU cycles of the victims.
According to new research by Cisco’s Talos intelligence group, threat actors have begun abusing internet-sharing apps, commonly referred to as proxyware, like Honeygain, Nanowire, and others.
Proxyware are legitimate apps that help users monetize their unused bandwidth. The platform typically installs an app that forks the spare bandwidth to a network pool operated by the service provider.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
“Malicious actors are taking multiple avenues to monetize these new platforms in their favor. The most obvious one is the silent installation of the platform client to “sell” the victim’s bandwidth without their knowledge,” shared the Talos team.
The perfect gateway
The researchers add that the malware authors don’t just abuse the legitimate platforms, but also go as far as to modify the client in order to prevent it from sending alerts to the victims, in order to keep flying under the radar.
“As these platforms became more popular, the adversaries started to leverage trojanized installers, which install the legitimate platform client as well as digital currency miners and information stealers,” the researchers add.
The researchers have shared details of a new malware family that leverages all the tricks of the new monetization scheme. Not only does it install a patched version of the Honeygain client, it also drops an XMRig miner along with an information stealer to squeeze as much data from the victims as possible.
More significantly, the researchers add that this new type of malware could eventually become popular enough to pose a significant risk to corporate environments.
“Users’ bandwidth can be sold to platform customers to access the internet, while the actions performed by them over this access are logged to the organization’s IP address….These networks may also allow threat actors to obfuscate the source of their attacks, making them appear as if they are originating from legitimate corporate networks,” the researchers summarize, adding that this new malware has the potential of rendering reputation- or IP-based blocklists ineffective.
