Proxyware Campaign Piggybacks on Popular YouTube Video Download Services

The AhnLab Security Intelligence Center (ASEC) has uncovered fresh instances of proxyware distribution by threat actors leveraging deceptive advertising on freeware sites.

Building on prior reports, such as the “DigitalPulse Proxyware Being Distributed Through Ad Pages” analysis, this campaign continues to exploit unwitting users in South Korea, installing unauthorized bandwidth-sharing tools like DigitalPulse and Honeygain.

These attacks exemplify proxyjacking, where malicious actors surreptitiously deploy proxyware to monetize victims’ internet resources without consent, mirroring the resource exploitation seen in cryptojacking but focusing on network bandwidth rather than computational power for cryptocurrency mining.

Proxyjacking involves the illicit installation of proxyware, software designed to allocate a portion of a system’s bandwidth to external entities in exchange for compensation.

When deployed non-consensually, it results in bandwidth theft, with profits funneled to attackers.

Historical precedents include a 2023 campaign documented by LevelBlue, which compromised over 400,000 Windows systems via DigitalPulse.

ASEC’s monitoring reveals sustained activity in Korea, with recent infections employing similar tactics but incorporating variants like Honeygain’s proxyware.

YouTube Video Download Pages

Threat actors are masquerading malware as legitimate YouTube video downloaders, capitalizing on users searching for free tools via search engines.

Victims entering a video URL encounter seemingly benign sites offering a “Download Now” button, which redirects to ad-laden pages or direct malware downloads.

Utilizing GitHub repositories as a distribution vector, attackers upload executables that initiate the infection chain.

The malware, often disguised as “QuickScreenRecorder.exe,” executes a PowerShell script that performs anti-analysis checks for sandboxes and virtual machines before proceeding to install proxyware.

The infection flowchart remains consistent with prior incidents: after evasion routines, the script installs NodeJS, fetches malicious JavaScript, and schedules tasks under names like “DefragDiskCleanup.”

This JavaScript communicates with command-and-control (C&C) servers, relaying system telemetry and receiving PowerShell commands to deploy the proxyware.

In most cases, DigitalPulse is installed, but variants introduce Honeygain’s “hgsdk.dll” alongside a launcher “FastCleanPlus.exe,” registered in the task scheduler.

The launcher invokes the DLL’s hgsdk_start() function using the attacker’s API key, enabling bandwidth sharing.

Malware Analysis

Detailed dissection shows the malware’s modular design, with PowerShell scripts handling downloads and executions.

Responses from C&C servers often include commands to fetch compressed archives containing Honeygain components.

Detection signatures from ASEC include Dropper/Win.Proxyware.C5783593 and behavioral indicators like Execution/MDP.Powershell.M2514, emphasizing the need for robust endpoint protection.

This campaign underscores the risks of downloading from unofficial sources rife with ads and pop-ups. Users should verify site authenticity and employ security solutions like V3 to scan for infections.

As proxyjacking evolves, blending with established malware families, proactive monitoring of indicators of compromise (IoCs) is crucial to thwart these resource-exploiting threats.

Indicators of Compromise (IoCs)

AWS Security Services: 10-Point Executive Checklist - Download for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!