Cybersecurity experts have uncovered a new threat actor known as Lurking Lizard, which is operating a malicious residential proxy network. This sophisticated operation involves over 230 imitation domains to support its activities.
Threat Actor’s Modus Operandi
According to DNS threat intelligence firm Infoblox, the malicious activities of Lurking Lizard have been traced back to at least August 2022. One notable campaign involved distributing a compromised version of 7-Zip through a domain called “7zip[.]com,” turning infected devices into proxy nodes.
Lurking Lizard has also impersonated well-known proxy services like IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy. The group has even created fake review websites to drive traffic to its fraudulent storefronts. Earlier this year, Google dismantled IPIDEA’s infrastructure as part of its efforts to combat this issue.
Extensive Network and Infrastructure
Recent findings by Proxyway revealed that 773,087 IP addresses associated with SmartProxy were also listed in a public dataset from IPIDEA containing over 16 million unique IPs. This suggests a direct relationship between SmartProxy and IPIDEA, either through reselling or using the same IP sources.
Analyses of WHOIS data and infrastructure indicate that Lurking Lizard may be based in China. The group uses popular VPNs and services such as HeroSMS to cloak its proxy malware, enhancing its deceptive operations.
Tactics and Broader Implications
A key tactic employed by Lurking Lizard is “drop-catching,” where they acquire expired domains to capitalize on their established legitimacy. This method has been used with domains like “7zip[.]com,” exploiting their resemblance to legitimate sites.
Further investigation into the IPLogger URL embedded in these campaigns showed that similar setups were used for fake 7-Zip, WhatsApp installers, and other false applications. The campaign’s evolution includes the use of WireVPN branding and targets users across multiple operating systems, including Android, macOS, and Windows.
The Android app “wirevpn – Fast Unlimited Proxy,” developed by a U.K.-based company, has over 1 million downloads, though it’s unclear how many are organic. It’s also uncertain whether these mobile apps include the same proxy functionalities as their desktop counterparts.
This operation forms a comprehensive illegal proxy business, encompassing phases from victim recruitment to monetization through deceptive proxy service brands and review sites.
Future Outlook and Challenges
Infoblox compared the situation to malvertising in affiliate advertising, highlighting the complexity and elusiveness of solutions to such cybersecurity threats. The Lurking Lizard network is not limited to a single malware campaign but spans the entire residential proxy lifecycle, continuously evolving over the years.
Recently, Google announced it had disrupted the NetNut residential proxy network, which had compromised millions of devices, including smart TVs. This underscores the risks faced by users, whose devices may unknowingly serve malicious purposes.
As cybersecurity threats continue to evolve, awareness and proactive measures are crucial in safeguarding devices from being exploited in such complex networks.
