Macs are getting compromised to act as proxy exit nodes

2023-08-14 10:57

AdLoad, well-known malware that has been targeting systems running macOS for over half a decade, has been observed delivering a new payload that - unbeknown to the owners - enlisted their systems into a residential proxy botnet.

"Alien Labs has identified over 10,000 IPs reaching out to the proxy servers each week that have the potential to be proxy exit nodes. It is unclear if all these systems have been infected or are voluntarily offering their systems as proxies, but it could be indicative of a bigger infection globally."

AdLoad is adware that installs a web proxy to redirect user's web traffic through servers owned by the adware operators, so that they can hijack search engine results and insert specific ads into the pages viewed by the user.

"After beaconing to the AdLoad server, the sample reaches out to a different domain, usually vpnservices[.]live or upgrader[.]live, appearing to be a proxy server's C&C," the researchers explained.

"If the proxy application is already running, the malware kills it, and then executes it in the background. During its execution, AdLoad gains persistence by installing itself as a Launch Agent with organization name usually formed by org.plist, which points at the proxy application executable in the Application Support folder," the researchers explained.

AT&T Alien Labs have traced the domains serving as proxy server nodes to a small business selling proxy services.

News URL

https://www.helpnetsecurity.com/2023/08/14/macos-adload-proxy/

#MAC #proxy