PROXYLIB
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesDutch authorities seized 200 servers running a 17-million-device botnet linked to proxy service Asocks.
Researchers discovered 28 Android apps on Google Play that secretly enrolled up to 190,000 devices into the proxy network without users’ knowledge or consent.
Initial Access
1 techniqueв ботнет вовлечены десятки приложений для Android, причем без ведома их авторов (через вредоносный SDK)
Execution
2 techniquesThe AppProService class contains all of the malicious code to obtain the C2 server domain and load the libgojni.so native library.
подобные сети обычно растут за счет эксплуатации уязвимостей, вредоносных приложений
Persistence
1 techniqueThe AppProWorker and the AppProReceiver classes are simply responsible for starting the service. The former starts the service when the application runs for the first time, and the latter enables the service’s persistence and executes whenever the device is booted.
Privilege Escalation
1 techniqueThe AppProWorker and the AppProReceiver classes are simply responsible for starting the service. The former starts the service when the application runs for the first time, and the latter enables the service’s persistence and executes whenever the device is booted.
Stealth
2 techniquesCommand and Control
3 techniquesбыли изъяты более 200 серверов, которые использовались для управления сетью из 17 млн зараженных устройств
Asocks — компанией, предоставляющей своим клиентам резидентные прокси, которые позволяют пропускать трафик через устройства третьих лиц и часто используются для сокрытия реального местоположения или личности пользователя
The C2 (nsignal[.]net in the example below) is used to initiate a bidirectional socket on port 1334 through which the proxy traffic will be forwarded.
Impact
1 techniqueThe LumiApps platform promotes itself and its SDK as an alternative app monetization method to rendering ads to users. According to their FAQ and available information, the platform rewards developers with cash payment based on the amount of traffic that gets routed through user devices.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Proxy botnet linked by researchers to Asocks infrastructure; it involved dozens of Android applications via a malicious SDK and turned infected devices into residential proxy nodes without users' knowledge.
A botnet/proxy malware operation linked to ASOCKS that enrolls infected devices into a residential proxy network, allowing their traffic to be routed through compromised systems without users’ knowledge.
A botnet/proxy malware operation linked to ASOCKS that covertly enrolls infected devices into a residential proxy network, allowing traffic routing through compromised consumer devices without user consent.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.