Proxyware Campaign Piggybacks on Popular YouTube Video Download Services

The AhnLab Security Intelligence Center (ASEC) has uncovered fresh instances of proxyware distribution by threat actors leveraging deceptive advertising on freeware sites.

Building on prior reports, such as the “DigitalPulse Proxyware Being Distributed Through Ad Pages” analysis, this campaign continues to exploit unwitting users in South Korea, installing unauthorized bandwidth-sharing tools like DigitalPulse and Honeygain.

These attacks exemplify proxyjacking, where malicious actors surreptitiously deploy proxyware to monetize victims’ internet resources without consent, mirroring the resource exploitation seen in cryptojacking but focusing on network bandwidth rather than computational power for cryptocurrency mining.

Proxyjacking involves the illicit installation of proxyware, software designed to allocate a portion of a system’s bandwidth to external entities in exchange for compensation.

When deployed non-consensually, it results in bandwidth theft, with profits funneled to attackers.

Historical precedents include a 2023 campaign documented by LevelBlue, which compromised over 400,000 Windows systems via DigitalPulse.

ASEC’s monitoring reveals sustained activity in Korea, with recent infections employing similar tactics but incorporating variants like Honeygain’s proxyware.

YouTube Video Download Pages

Threat actors are masquerading malware as legitimate YouTube video downloaders, capitalizing on users searching for free tools via search engines.

Victims entering a video URL encounter seemingly benign sites offering a “Download Now” button, which redirects to ad-laden pages or direct malware downloads.

Utilizing GitHub repositories as a distribution vector, attackers upload executables that initiate the infection chain.

The malware, often disguised as “QuickScreenRecorder.exe,” executes a PowerShell script that performs anti-analysis checks for sandboxes and virtual machines before proceeding to install proxyware.

The infection flowchart remains consistent with prior incidents: after evasion routines, the script installs NodeJS, fetches malicious JavaScript, and schedules tasks under names like “DefragDiskCleanup.”

This JavaScript communicates with command-and-control (C&C) servers, relaying system telemetry and receiving PowerShell commands to deploy the proxyware.

In most cases, DigitalPulse is installed, but variants introduce Honeygain’s “hgsdk.dll” alongside a launcher “FastCleanPlus.exe,” registered in the task scheduler.

The launcher invokes the DLL’s hgsdk_start() function using the attacker’s API key, enabling bandwidth sharing.

Malware Analysis

Detailed dissection shows the malware’s modular design, with PowerShell scripts handling downloads and executions.

Responses from C&C servers often include commands to fetch compressed archives containing Honeygain components.

Detection signatures from ASEC include Dropper/Win.Proxyware.C5783593 and behavioral indicators like Execution/MDP.Powershell.M2514, emphasizing the need for robust endpoint protection.

This campaign underscores the risks of downloading from unofficial sources rife with ads and pop-ups. Users should verify site authenticity and employ security solutions like V3 to scan for infections.

As proxyjacking evolves, blending with established malware families, proactive monitoring of indicators of compromise (IoCs) is crucial to thwart these resource-exploiting threats.

Indicators of Compromise (IoCs)

AWS Security Services: 10-Point Executive Checklist - Download for Free