Adversaries Hack Microsoft SQL Servers to Install Proxyware and Steal Bandwidth

Security analysts report an increasing number of cases of adversarial abuse of software called ‘proxyware’. Users can install proxyware (operated via the client application) and become bandwidth donors by sharing their internet connection via services like Peer2Profit and IPRoyal. The hosts, incentivized with monetary rewards, enable other users to access the web from their location for various purposes. 

Threat actors illicitly download and run proxyware on compromised systems, stealing victims’ network bandwidth in pursuit of financial gain. Currently there is growing evidence that criminal hackers target vulnerable MS-SQL servers, use adware bundles, and spread malware to convert hacked machines into proxies.

Illicit Proxyware Programs Detection

Detect whether your system was infected with proxyware by utilizing a Sigma rule released by a prolific Threat Bounty Program developer Onur Atali. The detection identifies the file names of malware used by the Proxyware malware:

Proxyware Attacker Tool Detect (via file_event)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, LimaCharlie, SentinelOne, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, Carbon Black, Securonix, Snowflake, and Open Distro.

The rule is mapped to the MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059), User Execution (T1204) as the primary techniques.

Enterprises need precise, exposure-based solutions that cut through the noise, pinpoint the real security threats, and enable practical, cost-effective solutions. All the above and more is available to the registered SOC Prime Platform users. Press the Detect & Hunt button to explore 200,000+ thoroughly curated and verified detections. Non-registered users can access the proxyware dedicated rule kit and relevant contextual metadata by hitting the Explore Threat Context button.

Detect & Hunt Explore Threat Context

Proxyware Infection Analysis

The ASEC analysis team revealed adversaries that have been successfully adopting a less common method to generate revenue. The researchers identified malware that enables criminal hackers to hijack devices, using them as proxies without the hosts’ knowledge. Threat actors execute proxyware to enable remote users to leverage the infected machine’s resources for various tasks, with attackers receiving their profit via Peer2Profit and IPRoyal services. This hijacking approach is similar to that of illegal crypto mining.

Detect intrusions and withstand cyber-attacks with better efficiency and velocity provided by SOC Prime’s Detection as Code platform. Hunt for threats within your security environment and improve log source and MITRE ATT&CK coverage to take your defense to the next level.