Cybercriminals Abusing Internet-Sharing Services to Monetize Malware Campaigns

Cyber Security

Threat actors are capitalizing on the growing popularity of proxyware platforms like Honeygain and Nanowire to monetize their own malware campaigns, once again illustrating how attackers are quick to repurpose and weaponize legitimate platforms to their advantage.

“Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems,” researchers from Cisco Talos said in a Tuesday analysis. “In many cases, these applications are featured in multi-stage, multi-payload malware attacks that provide adversaries with multiple monetization methods.”

Proxyware, also called internet-sharing applications, are legitimate services that allow users to carve out a percentage of their internet bandwidth for other devices, often for a fee, through a client application offered by the provider, enabling other customers to access the internet using the internet connections offered by nodes on the network. For consumers, such services are “advertised as a means to circumvent geolocation checks on streaming or gaming platforms while generating some income for the user offering up their bandwidth,” the researchers explained.

But the illicit use of proxyware also introduces a multitude of risks in that they could permit threat actors to obfuscate the source of their attacks, thereby not only giving them the ability to perform malicious actions by making it appear as if they are originating from legitimate residential or corporate networks, but also render ineffective conventional network defenses that rely on IP-based blocklists.

“The same mechanisms currently used to monitor and track Tor exit nodes, “anonymous” proxies, and other common traffic obfuscation techniques do not currently exist for tracking nodes within these proxyware networks,” the researchers noted.

That’s not all. Researchers identified several techniques adopted by bad actors, including trojanized proxyware installers that allow for stealthy distribution of information stealers and remote access trojans (RATs) without the victims’ knowledge. In one instance observed by Cisco Talos, attackers were found using the proxyware applications to monetize victims’ network bandwidth to generate revenue as well as exploit the compromised machine’s CPU resources for mining cryptocurrency.

Another case involved a multi-stage malware campaign that culminated in the deployment of an info-stealer, a cryptocurrency mining payload, as well as proxyware software, underscoring the “varied approaches available to adversaries,” who can now go beyond cryptojacking to also plunder valuable data and monetize successful infections in other ways.

Even more concerningly, researchers detected malware that was used to silently install Honeygain on infected systems, and register the client with the adversary’s Honeygain account to profit off the victim’s internet bandwidth. This also means that an attacker can sign up for multiple Honeygain accounts to scale their operation based on the number of infected systems under their control.

“For organizations, these platforms pose two essential problems: The abuse of their resources, eventually being blocklisted due to activities they don’t even control and it increases organizations’ attack surface, potentially creating an initial attack vector directly on the endpoint,” the researchers concluded. “Due to the various risks associated with these platforms, it is recommended that organizations consider prohibiting the use of these applications on corporate assets.”