Microsoft Store Apps + Go Backconnect Proxyware Part 2
Hello World,
A detailed writeup on some of the new behaviors can be seen from HexaStrike who has named this campaign StoreSocks. I kind of like the name. Anyway, I don't intend this to be a long post, just some quick updates and observations on the campaign.
New Publisher Names
New DLL file names:
- gate1.storetelemetryapiapps.xyz
- telemetrystoreapi1.xyz
- storetelemetryapi.xyz
Additional Reading on recent Proxyware News:
- Nearly half of Smart TVs with Proxyware
- FBI Seizes NetNut Proxy Platform, Popa Botnet
- STORESOCKS – Microsoft Store Apps Deliver a Go Backconnect Proxy
- Microsoft Store Apps May Deliver Go Backconnect Proxy Malware Part 1
Detection
- SecurityMagic Github YARA
- Watch for unfamiliar dll file names in WIndowsApps Directory
Final Thoughts:
This appears to be the same campaign, just updated with slightly new techniques and new publisher names.
I have not seen any disclosure that installing their App would subject the end user to volunteering to be part of a residential proxy network, if I missed seeing any notification, please let me know, otherwise, this appears to be deceptive, luring users into installing "free" software, but unknowingly offering their host as a proxy for others to use.
With recent news trends on TVs being part of proxy network which was abused by threat actors, it becomes increasingly important to be aware of proxyware. While these may not inherently have malicious intent, users of the service that "browse" through you home IP, may do something nefarious or illegal that may be tracked back to your home.




Comments
Post a Comment