Posted on July 31, 2022 at 9:15 PM
Security researchers have discovered a hacking activity where threat actors are hacking Microsoft SQL servers to steal bandwidth for proxy services. The hackers are converting the devices to proxies that are rented via online proxy services.
The threat actors steal the devices’ bandwidth by installing software known as “proxyware”. This takes the available internet bandwidth of the device as a proxy server. It allows the users to use the proxy server for different tasks, such as market research, content distribution, intelligence collection, and testing. These actions can be done remotely because of the proxyware features.
Additionally, these proxies are also being used by botters as it allows them to have access to residential IP addresses that haven’t been blacklisted from online retailers.
More Malware Campaigns Now Install Proxyware
After the device’s owners share their bandwidth with remote users, they get the chance to share in the revenue from fees charged to customers. For instance, some users are making about $6,000 monthly from Peer2Profit simply by installing the firm’s software on thousands of devices.
Researchers at South Korean security company Ahnlab published a report showing that there is an increased number of malware campaigns that install proxyware. These groups install the proxyware and earn money when they share bandwidth from their victim’s network.
The threat actors gain from their bandwidth sharing act by setting their email address for the user. While the sharing is ongoing, the victim may only notice a slight hiccup and some connectivity slowdowns.
The researchers at Ahnlab, during their investigation, understudied how the proxyware software for service was installed on the IPRoyal and PeerProfit through adware bundles and other malware strains. According to the researchers, the malware has some capabilities, including finding out whether the proxy client runs on the host. After its verification, it can launch with the “p2p-star()” function if it is deactivated.
Also, the malware is capable of installing the CLI version of the client rather than the GUI model in cases of IPRoyal Pawns. The goal here is to enable the smooth and stealthy run of the process in the background without any detection.
Hackers Can Use The Bandwidth For Illegal Activities
Based on a recent observation, the threat actors utilized the Pawns in DLL format and used their emails and passwords in encoded string format. This enabled them to launch it with the functions “startMainRoutine()”and “Initialize().”
After successfully installing the proxyware on the device, the software includes it as a proxy available for any kind of tasks the users want on the internet. The unfortunate thing is the fact that the other hackers will also be privy to the proxies. They can be used for illegal activities, with the victim completely unaware.
The report by Ahnlab noted that the threat actors operating the malware are generating revenue using the scheme. They have also been discovered targeting MS-SQL servers to installPeer2Profit clients.
The report shows that the activity has been ongoing since June 2022. According to the logs seen in compromised systems, there is also the existence of “sdk.mdf,” a UPX-packed database file on the infected systems.
Crypto Coin Miners Are Major Targets
Most threat actors targeting Microsoft SQL servers are doing so to gain exposure to the systems used by cryptocurrency coin miners that carry out cryptojacking. In other cases, the hackers utilize the server as an entry point into the network through Cobalt Strike beacons.
In several cases, threat actors prefer using proxyware for their attack because it can keep them hidden within the affected systems for a long time. This gives them a better chance of making more profit because the longer they stay there the better chance they will have to make more profits. However, it’s not clear how much money the hackers are generating from such a method.
Additionally, Microsoft SQL servers are usually found in data centers with a large internet bandwidth or corporate networks. In these places, the bandwidth-sharing act can go on for a long time without the host noticing anything odd. The threat actors also prefer using this approach because it keeps them hidden and makes it very difficult to trace the activities back to them. They are selling the bandwidth by stealing from a network and supplying it to another network. In this way, they will keep making money while receiving fees from services they are stealing to render.