According to Cisco Talos researchers, the use of “proxyware” is becoming more and more popular in the cybercrime world. Cyberattackers are now stealing the internet bandwidth of their victims to silently generate revenue.
Proxyware is a type of internet-sharing software that enables users to share their internet connection with other devices. But now the technology is abused by cybercriminals for illegal purposes.
There are apps that allow users to create a hotspot and host a secure internet connection, which will give them cash every time someone connects.
This is the route hackers follow too. They abuse services from legitimate companies such as Honeygain, Nanowire, and PacketStream to generate income from sharing a portion of the compromised network.
Proxyware is often abused in the same way as legitimate mining software. It is secretly installed as the main payload or as a side component. Attackers take measures to prevent a victim from noticing the software’s presence.
Cisco Talos has identified several cases where the use of proxyware has been part of multi-stage attacks. In those cases, legitimate software was bundled with Trojanized installers containing malicious code.
One campaign used a legitimate Honeygain package to drop a cryptocurrency miner. The campaign also redirected the victim to a landing page that used Honeygain referral codes. This attacker was looking for victims to sign up for an account, in which case, the hacker earned a commission.
Another method used to generate cash is by installing Honeygain on a compromised PC. This method works by allowing the attacker to register the software under their account to generate income.
“While Honeygain limits the number of devices operating under a single account, there is nothing to stop an attacker from registering multiple Honeygain accounts to scale their operation based on the number of infected systems under their control,” the researchers say.
In another instance, besides proxyware, attackers also dropped a cryptocurrency miner and information stealer for the theft of credentials and other valuable data.
“This is a recent trend, but the potential to grow is enormous,” Cisco Talos says. “We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These platforms also pose new challenges for researchers, since there is no way to identify a connection through these kinds of networks — the origin IP becomes even less meaningful in an investigation.”