| |

Proxyware Malware Disguised as YouTube Video Download Site Distributes Harmful JavaScripts

ByAdmin

Cybersecurity researchers have recently noted a significant increase in deceptive websites posing as YouTube video download services, which are used to distribute Proxyware malware. Victims attempting to download videos in MP4 format are redirected through various ad pages that intermittently display a download link for a seemingly legitimate application called “WinMemoryCleaner.” However, this façade conceals a multi-stage installer that ultimately deploys Proxyware, covertly commandeering the system’s network bandwidth. The initial executable, Setup.exe, extracts WinMemoryCleaner.exe into the Program Files directory and subsequently triggers an update script via WinMemoryCleanerUpdate.bat. Once executed, WinMemoryCleaner.exe conducts environment checks to avoid detection by virtual machines or sandbox environments, then executes a PowerShell payload that installs Node.js and retrieves a malicious JavaScript component from a remote server.

ASEC analysts have identified this method as a sophisticated evolution of previous Proxyware campaigns, highlighting the attackers’ use of GitHub for hosting intermediary tools. The subsequent stages involve the creation of two scheduled tasks—“Schedule Update” and “WindowsDeviceUpdates”—which ensure the JavaScript runs periodically under Node.js. This script communicates essential system information to a command-and-control server and awaits further instructions, which may include downloading additional scripts or initiating the final Proxyware installation. The researchers observed a shift from distributing only DigitalPulse and HoneyGain Proxyware to incorporating Infatica’s agent, thereby enhancing bandwidth theft capabilities. The ramifications of this campaign are twofold: affected systems suffer from reduced network performance, while the attackers monetise the stolen bandwidth through affiliate programs. 

Categories: Cybersecurity Threats, Malware Distribution, Proxyware Exploitation 

Tags: Cybersecurity, Proxyware, Malware, YouTube, WinMemoryCleaner, PowerShell, Node.js, Command-and-Control, Bandwidth, Infection Mechanism 

Similar Posts

Weekly Cybersecurity News Roundup: Key Security Updates from Microsoft, Cisco, and Fortinet, Plus Recent Cyber Attack Insights Stay informed with our latest weekly recap of cybersecurity news, featuring essential security updates from industry leaders Microsoft, Cisco, and Fortinet. We also delve into recent cyber attacks, providing insights into emerging threats and vulnerabilities. Don’t miss out on crucial information that can help safeguard your digital assets!

| | |

Sure! Here’s a rephrased version of your title for improved SEO: “Comprehensive Analysis of DragonForce Ransomware Attack: Targeted Victims, Tactics, Techniques, Procedures (TTPs), and Indicators of Compromise (IoCs)

Leave a Reply

Your email address will not be published. Required fields are marked *