Hackers Turned Mac Systems into Proxy Exit Nodes:

In a world where cyber threats are becoming increasingly sophisticated, it seems no operating system can escape the clutches of hackers. Recently, cybersecurity experts have unearthed a disturbing trend as hackers have managed to infiltrate Mac systems and transform them into proxy exit nodes. This means that unsuspecting Mac users may unknowingly become accessories to illegal activities, providing an anonymous gateway for criminals to carry out their malicious deeds while masking their true identities. As the battle between hackers and cybersecurity professionals escalates, the vulnerability of our beloved Macs serves as a stark reminder that no device is impenetrable in the ever-evolving landscape of digital warfare.

Besides Windows OS, now threat actors are also actively targeting Mac systems to accomplish their illicit goals. Cybersecurity analysts at AT&T Alien Labs recently observed that threat actors are actively turning Mac systems into proxy exit nodes. 

Microsoft’s report on UpdateAgent reveals that AdLoad, a malware that spreads through drive-by compromise, hijacks users’ traffic and injects advertisements and promotions into webpages and search results by redirecting it through the adware operators’ servers.

New Observations:

Researchers at AT&T Alien Labs studied multiple recent AdLoad versions, seen in June 2023. On execution, it collects system details and communicates with an AdLoad server for reporting.

Over the past year, consistent AdLoad activity has been noted by the researchers at AT&T Alien Labs, and not only that even they also observed that the malware is being installed on the systems that are infected.

Here below, we have mentioned the new observations:-

  • Undisclosed payload
  • A proxy app
  • Turns victims into exit nodes

Numerous samples caused widespread infections, as Alien Labs spotted 10,000 IPs weekly connecting to proxy servers, potentially as exit nodes. Users’ motives for this residential proxy botnet remain uncertain, though it has been found distributing SPAM campaigns.

Mac Systems into Proxy Exit Nodes:

The recent sample of AdLoad, which AT&T Alien Labs spotted in June, was named ‘app_assistant’, and the frequent file names for this malware include:-

  • ‘main_helper’ 
  • ‘mh’

Here the sample begins by using a system profiler to gather system details, emphasizing UUID for system identification later with C&C on proxy servers.

User Agent composed of the executed filename, ‘(unknown version) CFNetwork/$version,’ and Darwin version number in both instances.

Following the AdLoad server beacon, sample contacts proxy C&C domains like:-

  • vpnservices[.]live 
  • upgrader[.]live

While the request contains UUID and the encoded parameters, it gets a file link from digitaloceanspaces[.]com with the environment and payload version.

The sample sends a beacon for instructions every few seconds, while the C&C provides updates and checks for hardware issues like:-

  • Low battery
  • High CPU usage

Leave a Comment

Your email address will not be published. Required fields are marked *