Malware installation flowchart | Source: ASEC
A recent report from the AhnLab Security Intelligence Center (ASEC) detailed the spread of DigitalPulse proxyware via ad pages on freeware software websites. This proxyware, previously associated with large-scale proxyjacking campaigns, is now reemerging with a new distribution method and slight modifications to its signature.
Proxyjacking involves the unauthorized installation of proxyware on an unsuspecting user’s system, enabling attackers to sell stolen bandwidth for financial gain. According to ASEC, “Users who install the program are usually paid with a certain amount of cash in exchange for providing the bandwidth. If the threat actor secretly installs proxyware to the infected system without the user’s consent, the infected system involuntarily has its bandwidth stolen and the profit is redirected to the threat actor.”
The DigitalPulse proxyware, responsible for infecting over 400,000 Windows systems during past campaigns, has resurfaced. In the latest wave, the malware is signed with a “Netlink Connect” certificate, adding a veneer of legitimacy.
The new attack vector leverages ad pages on freeware websites. When users attempt to download legitimate programs like YouTube downloaders, they may inadvertently install malware via popup ads. ASEC noted, “Clicking on the webpage pops up an advertisement page. This page randomly redirects to various PUP, malware, or ad pages.”
One of the malware installers, disguised as a program named AutoClicker, downloads the proxyware in the background. “AutoClicker.exe is actually a downloader malware strain with a routine inserted to download proxyware,” the report explains.
DigitalPulse employs sophisticated techniques to evade detection and analysis:
- Anti-Virtual Machine Checks: It identifies virtualized environments by inspecting DLLs, firmware information, and named services associated with sandbox tools like VMware and VirtualBox.
- Browser History Checks: The malware examines the size of web browser history files. ASEC highlighted, “It prevents the malicious routine from executing if the history file is below a certain size.”
These measures complicate efforts by security researchers to analyze and mitigate the threat.
Once deployed, AutoClicker uses a PowerShell script to download and install DigitalPulse. The script registers a scheduled task under the name “Network Performance” to maintain persistence. ASEC detailed the process: “The PowerShell command downloads proxyware from GitHub and registers it in the Task Scheduler under the name ‘Network Performance.’”
DigitalPulse, while offering a seemingly harmless service of bandwidth sharing, poses significant risks when installed without user consent. ASEC warns, “Proxyware malware strains are similar to CoinMiners in that they gain profit by utilizing the system’s resources.” The reemergence of DigitalPulse, especially with its extensive reach, underscores the need for vigilance.
Related Posts:
- Beware of “How to Fix” Button: New Phishing Emails Trick Users into Executing Malicious Commands
- Vulnerable Microsoft SQL Server are being targeted by hackers
- North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger
- Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
- Starlink V3 Satellites Promise Blazing Fast Internet Speeds
