MS-SQL servers hacked to steal bandwidth with proxyware

Threat actors are generating revenue by using adware bundles, malware, or even hacking into Microsoft SQL servers, to convert devices into proxies that are rented through online proxy services.

To steal a device’s bandwidth, the threat actors install software called ‘proxyware’ that allocates a device’s available internet bandwidth as a proxy server that remote users can use for various tasks, like testing, intelligence collection, content distribution, or market research. 

Botters also love these proxy services as they gain access to residential IP addresses that have not been blacklisted from online retailers.

In return for sharing their bandwidth, the device’s owner gets a revenue share of the fees charged to customers. For example, the Peer2Profit service shows users making as much as $6,000 per month by installing the company’s software on thousands of devices.

Top 10 users on the Peer2Profit proxy service
Top 10 users on the Peer2Profit proxy service

According to a new report published today by researchers at South Korean company Ahnlab, new malware campaigns have emerged that install proxyware to earn money from sharing their victim’s network bandwidth.

The attackers receive compensation for the bandwidth by setting their email address for the user, while the victims might only notice some connectivity slowdowns and hiccups.

Sneaking proxy clients on devices

Ahnlab observed the installation of proxyware software for services, such as Peer2Profit and IPRoyal, via adware bundles and other malware strains.

The malware checks if the proxy client is running on the host, and it can use the “p2p_start()” function to launch it if it’s deactivated.

Creating and running Peer2Profit SDK
Creating and running Peer2Profit SDK (ASEC)

In the case of IPRoyal’s Pawns, the malware prefers to install the CLI version of the client instead of the GUI one, as the goal is to have the process run stealthily in the background.

Installing and configuring Pawns CLI
Installing and configuring Pawns CLI (ASEC)

In more recent observations, attackers used Pawns in DLL form and provided their emails and passwords in encoded string form, launching it with the functions “Initialize()” and “startMainRoutine().”

Pawns launch routine
Pawns launch routine (ASEC)

Once the proxyware is installed on a device, the software adds it as an available proxy that remote users can use for whatever task they want on the Internet.

Unfortunately, this also means that other threat actors can use these proxies for illegal activities without the victim being aware.

Infecting MS-SQL servers too

According to Ahnlab’s report, malware operators using this scheme to generate revenue also target vulnerable MS-SQL servers to installPeer2Profit clients.

This has been going on since early June 2022, with most logs retrieved from infected systems revealing the existence of a UPX-packed database file named “sdk.mdf.”

SQL process installing Peer2Profit
SQL process installing Peer2Profit (ASEC)

Among the more common threats for Microsoft SQL servers are cryptocurrency coin miners that perform cryptojacking. There are also plenty of instances where the threat actor uses the server as a pivoting point into the network via Cobalt Strike beacons

The reason behind using proxyware clients is likely an increased chance of remaining undetected for extended periods, which translates into more significant profits. It is unclear how much money actors generate via this method, though.

Furthermore, Microsoft SQL servers are usually located in corporate networks or data centers with abundant Internet bandwidth that proxy services can sell for illegal purposes.

Source: www.bleepingcomputer.com