by in
The rise of malicious cyber activities is like a fire spreading through a forest; each new attack, such as masquerading, exploiting public-facing applications, exploiting external remote services, and creating or modifying system processes, is like a spark that ignites a new flame.
• T1127 – Exploitation of Remote Services
• T1090 – Connection Proxy
• T1071 – Application Layer Protocol
• T1486 – Data Encrypted for Impact
• T1484 – Deobfuscate/Decode Files or Information
• T1036 – Masquerading
Summary: AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines, with a company charging for proxy service on traffic that goes through those machines. The application is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems. It is signed, allowing it to evade detection from security companies, and is installed silently on the system. It communicates with its command and control on port 7001 to receive further instructions and transmits specific parameters which are used to identify the origin of the proxy propagation within the proxy command and control infrastructure. The monetization of malware propagating proxy servers is a troublesome development as it encourages malicious actors to increase the speed at which this threat will spread.
Bulletpoints:
• AT&T Alien Labs recently discovered a massive campaign of threats delivering a proxy server application to Windows machines
• The application is written in the Go programming language and is signed, allowing it to evade detection from security companies
• It is installed silently on the system, communicating with its command and control on port 7001 to receive further instructions and transmit specific parameters
