As per Palo Alto researchers, a Russian company’s domain is being used by attackers, which inherently is a patent Web proxy service.
The malware has been named ProxyBack and it was firstly discovered in March 2014 but its functioning has only recently been understood by researchers.
Palo Alto Networks experts believe that most educational institutes located in Europe have become the targets of this malware and regular home-use PCs are attacked for funneling internet traffic illegally.
These infected PCs aren’t used to hide the location of a hacker but are advertised as trusted proxy servers listed in an online proxy service that operate from Russian outskirts.
ProxyBack performs its task by firstly infecting a PC and creating a connection with the attacker controlled proxy server from where it receives commands and also the traffic that is to be routed to real web servers.
Every PC that ProxyBack infects becomes a bot inside a bigger network that is already being controlled by the attackers, who then send instructions through basic HTTP requests.
Though the researchers couldn’t find any reliable electronic trail to identify the perpetrators that use the buyproxy.rudomain but they have discovered that IPs of some of the infected machines did appear in their online advertisement as IPs of some of the available proxy servers.
“Whether the people behind ‘buyproxy[.]ru’ are responsible for the distribution of the ProxyBack malware or not is unknown; however, it is clear that the ProxyBack malware is designed for, and used in, their service.”
In the past, Palo Alto researchers exposed hackers exploiting Kaspersky and Microsoft products to install snooping malware on users PCs. The firm also identified YiSpecter, WireLurker andXcodeGhost malware in iOS devices.