In a previously unreported trend, cybersecurity experts have identified a new malware family (cyberattack) that is syphoning from their victims’ bandwidth. It is the same way as crypto mining malware attempts to monetize the victims’ CPU cycles.
According to recent data from Cisco’s Talos intelligence division, threat actors have begun to abuse internet-sharing programs. They are known as proxyware, such as Honeygain (see their rebuttal at the end of this post), Nanowire, and others.
Proxyware is a legal tool that allows users to monetize their spare bandwidth. Typically, the platform installs an app that forks the spare bandwidth to a network pool managed by the service provider.
“Malicious actors are monetizing these new platforms in their favor through several means.” The most visible is the installation of the platform client invisibly to “sell” the victim’s bandwidth without their knowledge, according to the Talos team.
Malware- The best place to start
Malware makers, according to experts, do not merely target legitimate computers. They even update the underlying registry (but not the client) to prevent it from sending notifications to the victims, allowing them to continue unnoticed.
“As the popularity of these platforms rose, adversaries began to utilize trojanized installers to install the real platform client, as well as digital currency miners and information stealers,” the researchers wrote.
The researchers have revealed the specifics of a new malware family that employs all of the new monetization scheme’s techniques. It not only installs a patched version of the Honeygain client, but it also drops an XMRig miner and an information stealer to extract as much data as possible from the victims.
More importantly, the researchers state that this new sort of malware may grow prevalent enough to represent a substantial risk to business environments in the future.
“Users’ bandwidth can be sold to platform clients for them to access the internet.Their actions over this access are logged to the organization’s IP address… These networks may also enable threat actors to conceal the origins of their assaults, making them appear to originate from genuine business networks,” the researchers conclude, adding that this new malware has the potential to render reputation- or IP-based blocklists useless.
Honeygain’s explicit response
We are pleased to report that our users generally feel safe when using Honeygain: in our most recent User Experience survey (completed by almost 250,000 users), 70%+ of respondents reported they felt safe (5/5) when using the Honeygain app. The survey report may be seen here.
In general, we’d want to emphasize that the security threat identified by Cisco Talos affects all businesses; it’s not only a concern in the proxyware arena. All businesses that distribute their software via installers are vulnerable to these sorts of assaults.
We’d also want to point out that we’ve implemented several enhancements to the platform to prevent various kinds of misuse. Each of them has been explained separately, so here are the links for you to learn more:
You can find a bit more information here: https://www.honeygain.com/security/
In addition, we have gathered some of your article remarks on which we would like to comment and share our thoughts with you:
“Malicious actors are exploiting a variety of channels to monetize these new platforms for their benefit”. The most visible is the quiet installation of the platform client to “sell” the victim’s bandwidth without their awareness,” the Talos team explained. “Unfortunately, as long as some users continue to download apps from unauthorized sources such as unlawful websites or message boards, criminal actors will be able to propagate contaminated copies of the installer”. In our public communication, we regularly advise consumers to only download the software from legitimate sources to avoid any safety issues. Furthermore, our committed team is working relentlessly to identify any illegal sources”. “Virus producers, experts say, do not only target genuine systems. They even change the underlying registry (but not the client) to prevent it from sending alerts to the victims. So they remain undetected.”
We’re keeping an eye out for code modifications in our applications. If an attacker does such an act, our back-end systems quickly notify us. If the suspicious behavior continues, the application instance is marked as useless and is disconnected from our network.
“More significantly, the researchers warn that this new type of malware might become so prevalent that it poses a significant threat to business environments.”
Malware and shady individuals pose a severe danger to both public and private networks (e.g., households). As a result, every business and household must take all necessary actions to protect themselves from possible dangers and to enjoy a safe online environment.
After the Cisco report was issued, we acted quickly to decrease the risk of users acquiring Honeygain from unauthorized sources, which are the biggest risk and a direct method for a potential user to become a victim of unscrupulous operators.
The next step, in our opinion, should be to focus even more on cybersecurity, not only for the sector but for each of us individually. We must continue to educate people about potential online risks and how to prevent them. In this situation, we’re attempting to reach out to Cisco Talos to see how we can resist these hostile techniques and publicize our discoveries.
Above all, we will continue to enhance our ways of keeping our users secure. We’ve already begun discussions with a few well-known firms about reviewing our applications’ functionality and security for our consumers. Furthermore, we are hopeful about future collaborations with companies like Cisco Talos.