Microsoft Store Apps + Go Backconnect Proxyware Part 2

Hello World,

I've observed some new stores and updated campaign behavior related to what I wrote about in Part 1. Some changes include the Store publisher names, DLL file names, and a move from koffi to ffi-rs for the loading of the Go based proxyware binary.

A detailed writeup on some of the new behaviors can be seen from HexaStrike who has named this campaign StoreSocks. I kind of like the name. Anyway, I don't intend this to be a long post, just some quick updates and observations on the campaign.

New Publisher Names

  • TECHNOLOGIES FOR BUSINESS LLC
  • SOFTWARE MATTERS LLC
App Store Publisher Software Matters LLC

technologies for business llc on App Store


New DLL file names:

  • telemetry.dll
  • /lib[A-Z0-9]{3}\.dll/
VirusTotal YARA hits for Go Proxyware DLLs

New C2:

  • gate1.storetelemetryapiapps.xyz
  • telemetrystoreapi1.xyz
  • storetelemetryapi.xyz
Local Listener Results for Proxyware running in VM


Additional Reading on recent Proxyware News:

This appears to be the same campaign, just updated with slightly new techniques and new publisher names. 

I have not seen any disclosure that installing their App would subject the end user to volunteering to be part of a residential proxy network, if I missed seeing any notification, please let me know, otherwise, this appears to be deceptive, luring users into installing "free" software, but unknowingly offering their host as a proxy for others to use. 

With recent news trends on TVs being part of proxy network which was abused by threat actors, it becomes increasingly important to be aware of proxyware. While these may not inherently have malicious intent, users of the service that "browse" through you home IP, may do something nefarious or illegal that may be tracked back to your home.


Comments

Popular posts from this blog

Beware of Fake 7zip Installer: upStage Proxy

Microsoft Store Apps May Deliver Go Backconnect Proxy Malware

TamperedChef: Suspicious Recipe App is really Malware