Beware of Fake 7zip Installer: upStage Proxy

Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy. I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article.

The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org.

The installer is signed by (now revoked) certificate: 
"JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer. 

This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files (upHreo.exe, hero.exe, and hero.dll). 


Analysis of this has been interesting, the main payloads are Go compiled binaries, which are dropped in C:\WIndows\SysWOW64\hero. 

upHero.exe appears to "upStage" hero.exe (which loads hero.dll), by punching a hole in the windows firewall for hero.

hero.exe is run and installed as a service on the machine, and cycles through multiple domains which have patterns like smshero before finally making direct IP connections to ports 1000 or 1002 (observed at the time of this writing).

Another interesting aspect of this is some relations to wirevpn, isharkvpn, and embedded strings related to many other samples. A pivot on a YARA rule I built will find many of these interesting binaries with commons string structures.


Even more interesting is how little attention this has received at the time of this writing. Most of the initial public analysis has been by myself, s1dhy, and Andrew Danis


There are a couple good sandbox runs of this: Including app.any.run, and joe sandbox. More recently, Japanese researchers have began to notice this: Qiita and WizSafe Security have some writeups on this. 

Some of the biggest breakthroughs in understanding this suspicious behavior come from s1dhy who shared a script, and screenshots to demonstrate how hero pulls it's config to connect to the direct IP:PORT. 

While I was analyzing the traffic PCAPs from multiple systems, it became clear to me that these are not VPN connections, the protocols don't match up, and there was repeated characters and some clear text. I began to suspect a custom http communications was being employed. I quickly recognized what looks like XOR encoding in some of the payload and was reward with uncovering multiple domains when applying XOR key 70.




Since the entire communications do not appear to be XOR encoded, I had to assume that there were communication setup markers/flags, and additional payload information I wasn't seeing. I relayed this to others in the X post. S1dhy cracked the rest of this and shared this X post

Some interesting further notes: Many of the shared strings/domains that's I've observed include similar names like, upHola, upWhtatsapp (misspelled), upTiktok, and upWire, with similar firewall and sysWOW64 drop locations.

Update 01-25-2026: I had noticed last week that running different region IPs resulted in different IP:Port connections. S1dhy confirmed this behavior and found several more IP connections, added to the IOCs below.

Conclusion: I agree with S1dhy, this appears to set up the host system as a proxy. Persistence is set via service, firewall is opened usingnetsh, and certain strings within the binary suggest it looks to see if its running on a VM. The use of ip lookup appears to occur (geolocation?), and some basic system fingerprinting. This, combined with the fact that it's wrapped inside an installer that users believe to be the official installer suggests this isn't merely a PUP in my opinion. I am now curious to see more follow-on with this, and with some of the older samples like upHola.exe.

Category Indicator Details / Notes
URL https://update.7zip.cloud/7zipInstall.exe Trojanized installer distribution URL
URL https://gg.afn360.com/client_v1/config/http Config endpoint observed in hero.dll strings
Domain soc.hero-sms.co Config / control domain
Domain neo.herosms.co Config / control domain
Domain flux.smshero.co Config / control domain
Domain nova.smshero.ai Config / control domain
Domain zest.hero-sms.ai Config / control domain
Domain apex.herosms.ai Config / control domain
Domain mint.smshero.com Config / control domain
Domain vivid.smshero.vip Config / control domain
Domain spark.herosms.io Config / control domain
Domain prime.herosms.vip Config / control domain
Domain glide.smshero.cc Config / control domain
Domain pulse.herosms.cc Config / control domain
IP:Port 79.127.221.47:1000 Tunnel / proxy endpoint
IP:Port 84.17.37.1:1002 Alternate tunnel / proxy endpoint
IP:Port 89.187.169.66:1000 Tunnel / proxy endpoint
IP:Port 138.199.12.70:1000 Tunnel / proxy endpoint
IP:Port 156.146.44.213:1002 Tunnel / proxy endpoint
IP:Port 195.181.170.79:1000 Tunnel / proxy endpoint
IP:Port 195.181.175.120:10000 Tunnel / proxy endpoint
IP:Port 43.243.170.20:1000 Tunnel / proxy endpoint
IP:Port 79.127.221.41:1000 Tunnel / proxy endpoint
IP:Port 79.127.221.56:1000 Tunnel / proxy endpoint
IP:Port 79.127.241.51:1000 Tunnel / proxy endpoint
IP:Port 95.173.197.212:1002 Tunnel / proxy endpoint
IP:Port 89.187.169.66:1000 Tunnel / proxy endpoint
IP:Port 84.17.56.88:1002 Tunnel / proxy endpoint
File (SHA256) 7zipInstall.exe 63396fa92aa010e543e21cd8cb1bcccc
File (SHA256) 7zfm.exe 2009b69852a9b20bbbe85061e1ef9186
File (SHA256) hero.exe e2022cedcea9b5ea81764996732a9880
File (SHA256) hero.dll ddf75cc7e322d75de77b17c8ec887975
File (SHA256) uphero.exe c4edf28177e72d1bfc482cf4d05a156b
Certificate Signer JOZEAL NETWORK TECHNOLOGY CO., LIMITED EV Code Signing (GlobalSign), observed on related files



Comments

Post a Comment

Popular posts from this blog

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more

Suspicious Converter: Obfuscated Strings, Silent Tasks, and a Covert Update Channel

Image
I've seen a lot of chatter on X about ConvertMate.exe So I took another look at it today. What it is This is another file conversion application. It is a .Net application that as the installer drops files into AppData\Local\ConvertMate and creates a scheduled task called ConvertMateTask. The files it unpacks and drops include a smaller file named Convert Mate.exe (with a space), and id.txt (unique identifier), some supporting dlls, an uninstaller.exe, and UpdateRetreiver.exe . Red Flags Contains reverse strings and simple obfuscation launces a PS1 file to create the scheduled task Uninstaller and Add/Remove Programs only removes desktop icon and reg key.  UpdateRetreiver checks in daily and if domain returns response it AES decrypts the response Interesting strings in ConvertMate installer this.logicManager.SendPixel("https://banifuri[.]com/pixel"); string text = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\)68x( seliF margorP\\:C"); string t...
Read more