AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 46

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes 假冒的7-Zip安装程序将设备转化为住宅代理节点

A threat actor dubbed "Lurging Lizard" operates an end-to-end malicious residential proxy business, using over 230 lookalike domains and trojanized software installers to recruit devices. The campaign targets multiple platforms (Windows, macOS, Android) by distributing fake versions of popular tools like 7-Zip, WhatsApp, and WireVPN, often leveraging expired domain history for legitimacy. The operation includes a sophisticated monetization strategy involving impersonation of legitimate proxy pro 威胁行为体“Lurking Lizard”利用伪造的7-Zip安装程序等诱饵,将受害者设备招募为住宅代理节点,构建端到端的恶意代理业务。 该团伙运营超过230个仿冒域名,冒充IPIDEA、SmartProxy等知名服务商,并通过虚假评论网站引流至其欺诈性商店进行变现。 攻击者采用“drop-catching”技术获取过期域名以继承信誉,并利用WireVPN等品牌在多操作系统(Android、macOS、Windows)上分发恶意软件。 此次披露揭示了住宅代理黑产从设备获取、基础设施搭建到营销变现的全生命周期运作模式,风险与近期Google打击的NetNut网络类似。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • A threat actor dubbed "Lurging Lizard" operates an end-to-end malicious residential proxy business, using over 230 lookalike domains and trojanized software installers to recruit devices.
  • The campaign targets multiple platforms (Windows, macOS, Android) by distributing fake versions of popular tools like 7-Zip, WhatsApp, and WireVPN, often leveraging expired domain history for legitimacy.
  • The operation includes a sophisticated monetization strategy involving impersonation of legitimate proxy providers (e.g., IPIDEA, SmartProxy) and fake review sites to drive traffic to scam storefronts.
  • This activity highlights a growing trend where consumer IoT devices and personal computers are co-opted into large-scale botnets for unauthorized proxy services, posing significant risks to IP reputation and network security.

Why It Matters

This incident demonstrates the increasing sophistication of cybercriminal ecosystems that integrate malware distribution, brand impersonation, and affiliate marketing to create sustainable illicit businesses. For security professionals, it underscores the critical need to monitor not just traditional malware vectors but also the abuse of legitimate-looking software updates and domain expiration strategies. Furthermore, it reveals how residential proxy networks are becoming a primary infrastructure for broader cyberattacks, affecting the integrity of IP addresses used by everyday consumers.

Technical Details

  • Distribution Vectors: The actor uses trojanized installers for well-known software (7-Zip, WhatsApp, WireVPN) hosted on lookalike domains (e.g., "7zip[.]com" vs. official "7-zip[.]org"). They also employ drop-catching techniques to acquire expired domains with established trust histories.
  • Infrastructure Scale: The operation utilizes more than 230 lookalike domains and has been linked to datasets containing millions of unique IP addresses, indicating a massive pool of compromised devices acting as proxy nodes.
  • Cross-Platform Targeting: The campaign spans Windows, macOS, and Android. Notably, an Android app named "wirevpn - Fast Unlimited Proxy" claimed over 1 million downloads, suggesting a multi-pronged acquisition strategy beyond desktop malware.
  • Monetization Ecosystem: The actor impersonates major proxy providers (IPIDEA, SmartProxy, IP Royal) and creates fake independent review sites to funnel traffic to their own storefronts, effectively reselling access to the botnet.
  • Link Analysis: Embedded URLs such as "iplogger[.]com/mnWD" were found across various samples, linking different fake installers (7-Zip, TikTok/YouTube downloaders, WireVPN) to the same underlying infrastructure.

Industry Insight

  • Supply Chain and Software Integrity: Organizations must enforce strict controls on software installation sources, particularly for common utilities like archivers and VPNs. Users should verify digital signatures and domain authenticity rigorously.
  • Reputation Management for ISPs and Enterprises: As residential IPs are increasingly used for malicious activities, legitimate users risk having their IPs blacklisted. ISPs and cloud providers need enhanced monitoring to detect and mitigate traffic originating from compromised residential devices.
  • Regulatory and Platform Accountability: The involvement of app stores and domain registrars in facilitating this ecosystem suggests a need for stricter vetting processes for apps claiming to be proxies or utilities, and better enforcement against domain squatting and impersonation.

TL;DR

  • 威胁行为体“Lurking Lizard”利用伪造的7-Zip安装程序等诱饵,将受害者设备招募为住宅代理节点,构建端到端的恶意代理业务。
  • 该团伙运营超过230个仿冒域名,冒充IPIDEA、SmartProxy等知名服务商,并通过虚假评论网站引流至其欺诈性商店进行变现。
  • 攻击者采用“drop-catching”技术获取过期域名以继承信誉,并利用WireVPN等品牌在多操作系统(Android、macOS、Windows)上分发恶意软件。
  • 此次披露揭示了住宅代理黑产从设备获取、基础设施搭建到营销变现的全生命周期运作模式,风险与近期Google打击的NetNut网络类似。

为什么值得看

这篇文章揭示了住宅代理黑产的高度组织化和商业化特征,展示了攻击者如何像合法企业一样运营完整的供应链和营销体系。对于安全从业者和企业而言,理解这种端到端的恶意代理生态有助于识别潜在的流量异常,并防范因自家设备被劫持而导致的法律合规风险及声誉损失。

技术解析

  • 社会工程学诱饵:主要使用特洛伊化的7-Zip安装程序,以及伪装成WhatsApp下载器、TikTok/YouTube工具、WireVPN等热门应用的移动端APK,通过教程内容、搜索引擎优化和仿冒域名吸引用户。
  • 域名策略:大量使用仿冒域名(如“7zip[.]com”而非官方的“7-zip[.]org”),并利用“drop-catching”技术收购过期域名以继承其历史信誉和SEO权重,规避早期检测。
  • 基础设施与关联分析:通过WHOIS分析和基础设施指纹识别,推断出该团伙位于中国;研究发现SmartProxy的部分IP地址与已被Google拆除的IPIDEA基础设施存在重叠,暗示可能存在非法转售或共用底层资源的情况。
  • 多平台覆盖:攻击范围涵盖桌面端(Windows/macOS)和移动端(Android),其中一款名为“wirevpn - Fast Unlimited Proxy”的应用在Google Play上获得了超过100万次下载,显示了其在移动端的渗透能力。

行业启示

  • 住宅代理市场的信任危机:随着更多非法代理网络(如NetNut、Lurking Lizard)被曝光,企业和用户对住宅IP服务的真实性验证需求激增,缺乏严格审核的代理供应商将面临巨大的合规和声誉风险。
  • 终端安全防御升级:普通用户设备(包括IoT设备、智能电视、手机)正成为黑产的重要资源池,需加强针对伪装成常用软件的恶意安装包的检测能力,并提高用户对非官方渠道下载的警惕性。
  • 全链条打击的重要性:单一的反病毒措施难以根除此类犯罪,需要结合DNS情报、域名监控、应用商店审核以及跨国执法合作,从基础设施、营销链路到资金结算进行全链条打击。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全