Proxyware Malware Being Distributed on YouTube Video Download Site

SUMMARY :

A malicious campaign is targeting users through fake YouTube video download sites, distributing Proxyware malware. The attack involves a downloader disguised as WinMemoryCleaner, which installs NodeJS and runs malicious JavaScript. This script then installs various Proxyware programs, including DigitalPulse, HoneyGain, and recently, Infatica. The malware uses Task Scheduler for persistence and sends system information to a C&C server. The Proxyware exploits the infected system's network bandwidth for the attacker's profit. Users in South Korea have been particularly targeted. To prevent infection, users should avoid installing executables from suspicious websites and use antivirus software.

OPENCTI LABELS :

malware,downloader,javascript,youtube,c&c,digitalpulse,proxyware,task scheduler,nodejs,bandwidth,honeygain,infatica


AI COMMENTARY :

1. The threat landscape has evolved with the emergence of a malicious campaign leveraging fake YouTube video download sites to distribute Proxyware malware. Researchers have identified a downloader masquerading as WinMemoryCleaner. When unsuspecting users execute the downloaded file, it silently installs NodeJS and triggers a malicious JavaScript script designed to deploy proxyware programs on the victim’s machine.

2. The initial infection vector relies on social engineering and the appeal of free YouTube video downloads. Attackers host seemingly legitimate download pages that prompt users to install an executable. Once executed, the downloader fetches and installs NodeJS. This software serves as the runtime environment for the subsequent JavaScript payload that orchestrates the malware installation.

3. The malicious JavaScript script is responsible for fetching and installing several proxyware applications. Prominent among these are DigitalPulse and HoneyGain, which have been used in past campaigns, and a newly observed variant called Infatica. Each of these programs is designed to lease the victim’s network bandwidth to the attacker’s proxy network, generating illicit revenue for the threat actors while degrading network performance for the user.

4. To maintain persistence on infected systems, the campaign leverages the Windows Task Scheduler. A scheduled task is created that automatically launches the malicious JavaScript or NodeJS process at regular intervals or upon system reboot. Additionally, the malware gathers system information and transmits it to a command and control server over HTTP, enabling the attackers to monitor compromised hosts and manage the proxyware installations remotely.

5. Analysis of the campaign reveals a geographic focus on users in South Korea, suggesting a targeted operation. By exploiting local interest in free video downloads, the attackers have achieved a higher infection rate within that region. Infected systems exhibit unusually high network usage as the proxyware applications route traffic through the compromised machines, impacting both individual users and corporate networks.

6. Prevention and mitigation measures are straightforward but critical. Users should avoid downloading and executing programs from unverified websites, especially those promising free media downloads. Employing reputable antivirus and anti-malware solutions can detect and block the downloader and its associated components. Network administrators should monitor outbound traffic for signs of proxy usage and implement firewall rules to restrict unauthorized connections to known proxyware domains.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Proxyware Malware Being Distributed on YouTube Video Download Site