3proxy

3proxy is an open-source, dual-use proxy utility that has been observed deployed by North Korean-linked threat actors, particularly Andariel (also tracked as Silent Chollima, Stonefly, and Onyx Sleet), to maintain access and provide proxy/tunneling capability inside victim environments. The provided reporting describes 3proxy as part of intrusion chains associated with DTrack and Maui ransomware activity, including one case where a 3proxy binary compiled on 2020-09-09 was deployed to a victim on 2020-12-25, months before DTrack and Maui were executed on the same server. In another intrusion, a file renamed from osc.tmp to osc.exe was assessed with high confidence to be 3proxy, and was used alongside PuTTY plink to create proxying and reverse-tunneled access into victim networks. The content identifies 3proxy as one of several open-source or dual-use tools used or customized by Andariel for execution, tunneling, concealment, and maintaining access. Associated campaigns in the source material involved exploitation of internet-facing services such as HFS and Oracle WebLogic (including CVE-2017-10271), as well as broader Andariel exploitation of public-facing web servers and VMware Horizon/Log4j in separate reporting. Victim sectors and geographies mentioned in the surrounding activity include healthcare, energy, defense, aerospace, nuclear, engineering, and organizations in Japan, India, the United States, Canada, and elsewhere. High-confidence indicators directly tied to 3proxy in the content are limited to the malware/tool name, the renamed file osc.exe assessed as 3proxy, and the compilation/deployment timing noted above.