MS SQL Servers Compromised to Steal Bandwidth Using Proxyware

What is Proxyware?

• Remote users can use the bandwidth for a variety of tasks, such as testing, content distribution, and market research.
• The device's owner receives a revenue share of the fees charged to customers in exchange for sharing their bandwidth.
• Peer2Profit and IPRoyal are two companies that offer this type of service.

Infecting MS SQL

• The first step includes targeting vulnerable MS SQL servers by installing Peer2Profit via a malware strain.
• The malware checks if the proxy client is running on the host. If deactivated, the malware can use the “p2p_start()” function to launch it.
• Once the proxyware is installed on a device, the software adds it as an available proxy for the remote users to assign tasks the way they want over the internet.

How do the providers earn?

• Companies that provide services profit from catering bandwidth to other users.
• Providers can use marketing tools to expand their business by claiming different business partners who use the service for different purposes on their web pages.
• Business partners' requirements may vary, such as distributing software, researching markets, verifying advertisements, and testing software.

• The provider takes a risk by installing proxyware because threat actors can use these proxies for illegal activities without the victim's knowledge.
• The service provider cannot know in detail which companies/customers use the proxyware platforms' services.
• Even if the user can independently verify the external customers, it is impossible to predict whether the owner's bandwidth will be maliciously exploited in the future.

Conclusion