Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains.

The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. Once such campaign, observed earlier this year, involved the actor luring victims with a trojanized 7-Zip installer hosted on a domain named “7zip[.]com,” covertly recruiting compromised devices as proxy nodes.

Lurking Lizard is also known to impersonate major proxy providers, including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy, not to mention going to the extent of running fake “independent” review sites to drive traffic to its own scam storefronts. Interestingly, IPIDEA’s infrastructure was dismantled by Google in an operation earlier this January.

Subsequent findings from Proxyway have uncovered that 773,087 unique IP addresses linked to SmartProxy were also present in a publicly available IPIDEA IP dataset comprising 16,192,293 unique IPs, indicating SmartProxy either “resells IPIDEA’s infrastructure directly or uses it as a significant IP source.”

WHOIS analysis and infrastructure fingerprinting suggest that Lurking Lizard is a China-based actor, with the illicit scheme also using popular VPNs and services like HeroSMS as decoys to distribute the proxy malware.

One of the notable aspects of the adversary’s modus operandi revolves around acquiring domains when they expire to inherit their accumulated history and legitimacy, a technique known as drop-catching. In some cases, the attacker has taken advantage of the perceived legitimacy surrounding incorrectly referenced domain names (e.g., “7zip[.]com” instead of “7-zip[.]org”) to use them to their advantage.

Further analysis of the IPLogger URL (“iplogger[.]com/mnWD”) embedded within the samples tied to the 7-Zip campaign has uncovered that the same underlying infrastructure has been used to serve fake installers for 7-Zip, WhatsApp, tools falsely claiming TikTok and YouTube downloaders, and WireVPN.

The use of WireVPN branding represents the latest evolution of the campaign, using a multi-pronged approach to target users across operating systems, including Android, macOS, and Windows. One such Android app, called “wirevpn – Fast Unlimited Proxy” and developed by a U.K.-based firm named WEILAI NETWORK TECHNOLOGY CO., LIMITED, has amassed more than 1 million downloads, although it’s unclear if these downloads are organic.

“In the original 7-Zip campaign, victims were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains,” Infoblox said. “Whether similar techniques are driving users to the current desktop variants is unclear, but the mobile applications may serve as an additional acquisition channel.”

It’s also unclear if the same proxy functionality — i.e., an exit node funneling third-party traffic through victims’ devices — is present in the mobile applications, and if it’s just limited to the desktop applications. Regardless, they paint a picture of what appears to be an unlawful proxy business that fuels a coordinated ecosystem spanning victim acquisition, proxy infrastructure, marketing, and monetization.

The result is an end-to-end operation that goes through two distinct stages:

  • Trojanized installers, mobile applications, and other lures recruit victim devices into an actor-controlled proxy botnet.
  • The pool is then monetized through lookalike proxy service brands, while fake review sites help drive traffic to the actor’s storefronts.

“We are struck by the parallels between the recently exposed criminal activity in the residential proxy space and malvertising that plagues affiliate advertising,” Infoblox said. “There’s an obvious story: Your TV may be part of a giant botnet conducting attacks across the internet. But the real story is far more complex, and solutions are still elusive.”

“Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network.”

The development comes days after Google announced that it had significantly degraded the NetNut (aka Popa) residential proxy network that turned at least 2 million devices, such as smart TVs and streaming boxes, into conduits for unauthorized network traffic through malware-laced SDKs that either come pre-installed before purchase or through apps containing hidden proxy code.

“This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities,” Google said. “Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers.”

Source link

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *