Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Malware operators hijacking bandwidth using 'Proxyware'

Overview

Residential proxy networks are a legitimate service which can be used for fraud prevention.
For example, they might be used to check how ads get served on a website to different users around the world.

For this to work, businesses need to make their web requests appear like normal user traffic so they pay users to let them redirect data through home networks.

Now criminals have caught on to the fact that this bandwidth can be sold they’ve started including the proxy software in malware.

Impact

Use of these services on a network, whether it be from malware or rogue insiders can have several negative consequences.

– network degradation (bandwidth used up)
– unexpected costs (on metered connections)
– possibility of malicious traffic coming from your IP
– reputational damage
– legitimate services may block your IP based on fraud detection
– internal network access

Detection

Endpoint monitoring solutions can be used to detect traffic related to these services.

Affected Networks

While malicious bandwidth usage could be a problem for any hacking victim, this particular threat is targeted at users on residential networks.

For a smaller company, without a business line, this could be the entire estate or in larger companies, the targets may be workstations used by remote employees.

Containment, Mitigations & Remediations

If these services are not being used, companies may wish to block access to domains at a firewall level.

Indicators of Compromise

Domains

ariesbee[.]com
bootesbee[.]com
aurigabee[.]xyz
analytics[.]honeygain[.]com
api[.]honeygain[.]com
download[.]honeygain[.]com
www[.]xsvpn[.]cf
terminist-journal[.]000webhostapp[.]com
r[.]honeygain[.]money

SHA-256

086dd09e67cbf05bf8c1b2561cf691239b815405ed67a6aa72b50f893f1122e9
1421a79bdfd81204a790fd251c2e8fe89e1a1dee8a8474f1f31b931bce5f31c5
17792e110e2fc30559c33016f08c8ed8923c409c0950a98bbcde48be349f97cf
21ffcc6fd78d7d2a349556c96eca0671184ba67fc5f3f743185936750eb2bf76
2601dceab5674a229c06773e90b7c290fe660be2ac42a006eb3ba1161817eb35
2644f696d1b204838cbadaf46a3c804e76a769b22c72ea7aa03a51e8c1e68b3d
29f528be9fed9d4b8dff6717fdbc4cd76af5220ce0a8bbbdf9d4a9eda924b9bd
2b418045a2d3b7f3fdcbbbdb163778eb71b759972ba36a3800bf0c8b168ef161
34e7feb3916d569544b635d022d828142814f387805fd051627aa548986e9c64
3f85c476599f081fc17e141c69b53b1abf5069b0fbc1b62133daaaae486fd587
496b0fdd817adac8f8f7e988b081798be5ed7dc1b5b17ce7a129e3913975ced0
4b50a883cb3a3b561002de895db665735be17f342d4a484c9a994df9e360f94c
53a48d3314d4c4660931653821496415ba9687e4f14b458d9cf61cc96632c131
57e2032cd6fdf226511ebb0c4151de2d91ff5282c238145b7313eceb8d703ac9
5a099571b1ff22edbe4621c60def5d597a644771a02f5c179c73596d33efb8ff
5a4ef62cfed9147274068d125218c3f7683e1537bdf10baecca9897ef98ba144
60520f3c00ca73f1c3afaba97533307cf0bde1a582cc035230b91d414ccd3974
61b277234f107b478bcf0becbdff3025b0d9ffe6d5e2db499b82ad82de621a8a
6ec1886769320d0f6edff7c0061819ab48104c6f55b211c015b2699521326522
70fc89f354e9a319448b72b3560e8a728c3c02e75bda6a2970dc21eaf2156ad7
738c6951897a6a08ff68738bbaca40b820c421a2bf6b6736fe47f67422431651
74d72a2426e053de09386653c04fa246a3054dae2b6af440c510bf5d4b1a553d
7b28c0e9baba5dc01b98be47c3d3b3913c7184b106b788a519e6528599747aec
802c83d71793036f195a4455e9f76f2b1ee0c7e4b95d48b0c4d45698fab37122
809ff25715e5bd18d3fa878e5c05d810c998649c6602cf46f1adcd28419b4be7
833ee2b2d2ebe3698a1ba8333b0fbbaf0f00a6628917f1419e606a317627984b
8d4adeedcc2ada8079c8b8833477ecc906444d433796f19d2d166cfbfa247351
8eb315d34ae0e568d657f52bbfb672cbb45380326964aa71313f6876c8e100ab
a368cc0ee42d4e6a740c529beb38283012d69f573b65490ac04d8ea57a9d5def
a6aa7fe2ac233bf2c8f3f1342fd57d43739d6839bb25e244e41305e68cdfaf20
b5defe839274e913c3024ffe3e12272a6f398b49c17e74608a772606acf19970
b88c0edb75026bbe541ee9a7ec1070334c62b2e5e0f6d5944d5beb83eacb72d0
be2111b1f2546368e8867927f3ec7607287c43742c2b704c1db6f040c2bdd28c
c01d55c9ce208eb645465a85dcd4f5d4444ef4661012c0e2714eb172bd373eeb
cc918cafea413e2814d0414b8582c0f4e12e9f72c963317f641c431d4d188616
cda362e1e7fb85e31a36c20b181e5f9b1aaa3479fbd2ca84c9bf06b9bb688b7d
d6209431e0da47fc8ad6d6e0625f5ed19c8647a5818f94b149a1d531bed32013
e98ec3f798200525276713e881fab6758c056ea2988806e4fa479e7fa29061f9
f858b1f43b3076cb3c8843852c531b64317ec72d06b41e49557c3e8b7360f214
fe6592ee011877d9a851e84b95908c3dd887214bcc668147805613f2573ce5af

Mitre Methodologies

T1090 – Proxy
T1204 – User Execution
T1496 – Resource Hijacking
T1572 – Protocol Tunneling

Further Information

Attracting flies with Honey(gain): Adversarial abuse of proxyware