AhnLab Security Intelligence Center (ASEC) has identified a new proxyjacking attack that installs proxyware through advertisement pages of freeware software sites. The proxyware, signed with a Netlink Connect certificate, is similar to the DigitalPulse proxyware used in previous attacks. Users may unknowingly install a program called AutoClicker, which hijacks their network bandwidth for the benefit of threat actors. Affected: Windows systems
Keypoints :
- AhnLab confirms proxyware installation through ad pages of freeware software.
- Proxyjacking allows unauthorized sharing of a system’s Internet bandwidth for profit.
- DigitalPulse proxyware has infected over 400,000 Windows systems in past campaigns.
- New distribution method involves ad pages redirecting to malware downloads.
- AutoClicker disguises itself as a legitimate program but downloads proxyware.
- Malware employs various techniques to evade analysis and detection.
- Users are advised to avoid suspicious downloads from untrusted websites.
MITRE Techniques :
- Persistence (T1547.001): AutoClicker registers itself in Task Scheduler under the name “FastDiskCleanup”.
- Command and Control (T1071): The downloaded JavaScript connects to a C&C server to send system information.
- Execution (T1059.001): PowerShell is used to execute the downloaded JavaScript malware.
- Defense Evasion (T1562.001): The malware checks for analysis environments to avoid detection.
- Credential Dumping (T1003): The malware may access sensitive information during its execution.
Indicator of Compromise :
- [URL] https[:]//a[.]pairnewtags[.]com/pid/s[.]js
- [URL] https[:]//c[.]pairnewtags[.]com/c[.]txt
- [URL] https[:]//filerit[.]com/k[.]js
- [URL] https[:]//filerit[.]com/pi-240924[.]ps1
- [URL] https[:]//raw[.]githubusercontent[.]com/Evastrea/5Ag3R4ObWH/main/GKPXAP[.]exe
- Check the article for all found IoCs.
Full Research: https://asec.ahnlab.com/en/85798/