Attackers add hacked servers to commercial proxy networks for profit

Hackers are using commercial proxy networks that pay users for their bandwidth to monetize their illegally obtained access to servers. Dubbed proxyjacking, this type of abuse has been increasingly observed alongside other forms of abusing hacked servers, such as cryptojacking.

“Although the concept of proxyjacking is not new, the ability to easily monetize it as affiliates of mainstream companies is,” researchers from Akamai said in a report. “Providing a simple path to financial gain makes this vector a threat to both the corporate world and the average consumer alike, heightening the need for awareness and, hopefully, mitigation.”

The Akamai team recently investigated several campaigns in which attackers used compromised SSH credentials to deploy a series of scripts that turned the servers into proxy clients on the Peer2Profit and Honeygain networks.

Both services are advertised as passive income tools that allow users to share their unused bandwidth and IP address as part of a crowdsourced network of proxy servers that is then used by paying companies for data collection, advertising, and other activities. These are meant to be volunteer-based services that require users to install a client application on their computers or mobile phones.

“The scenario drastically changes when an application is deployed without the knowledge or consent of the user, effectively exploiting their resources,” the Akamai researchers said. “This is where the seemingly innocuous act of using these services pivots into the realm of cybercrime. The attacker, by commandeering multiple systems and their bandwidth, effectively amplifies their potential earnings from the service, all at the victims’ expense.”

The attack is similar in concept to cryptojacking, the act of using a machine’s computing resources to mine cryptocurrencies without the knowledge or approval of the system’s owner. Mining cryptocurrency is otherwise a legitimate activity that users can willingly opt into, and the mining software is generally free and open source. Attackers use the same software, but in an abusive way.

Proxyjacking via Docker containers

In the attacks observed by Akamai via its honeypot systems, attackers first logged in via SSH and executed a Base64-encoded Bash script. The goal of this script is to connect to an attacker-controlled server and download a file called csdark.css. This file is actually a compiled version of curl, a widely used Linux command-line tool that’s used to download files.

The executable is not detected by any antivirus engine on VirusTotal because it is a legitimate and unmodified version of curl, which is likely whitelisted as a system tool. After curl is deployed on the system, the Bash script changes the working directory to a temporary one that’s usually writable and executable to all users such as /dev/shm or /tmp. It then proceeds to download a Docker container image that comes preloaded and preconfigured with the Peer2Profit or the Honeygain clients along with the attacker’s affiliate ID on the networks so the hijacked systems get registered under their account.

Before deploying the downloaded Docker container image under the name postfixd, the script checks if other competing containers possibly deployed by other attackers are running and stops any that are found. Postfix is a popular email transfer agent for Linux, so the attackers picked this name followed by d (daemon) to make their container less conspicuous among the list of processes on the system.

Both Peer2Profit and Honeygain provide public Docker images for their clients and they are fairly popular with over a million downloads, so the attackers didn’t have to do much work to set up the environment and tools. The web server where attackers host their renamed curl executable seems to have been hacked and contains a cryptomining tool. This suggests the attackers behind these proxyjacking campaigns also engage in cryptojacking.

“In this particular campaign, we saw the use of SSH to gain access to a server and install a Docker container, but past campaigns have exploited web vulnerabilities as well,” the Akamai researchers said. “If you check your local running Docker services and find any unwanted resource sharing on your system, you should investigate the intrusion, determine how the script was uploaded and run, and perform a thorough cleanup.”