Home Risk & Resilience Fake 7 Zip Installers Used By Lurking Lizard To Build Residential Proxy Network Across Compromised Devices

Fake 7 Zip Installers Used By Lurking Lizard To Build Residential Proxy Network Across Compromised Devices

0
Fake 7 Zip Installers Used By Lurking Lizard To Build Residential Proxy Network Across Compromised Devices

Cybersecurity researchers have uncovered a large scale operation run by a threat actor known as Lurking Lizard, which has been operating an end to end malicious residential proxy business using an infrastructure of more than 230 lookalike domains. According to DNS threat intelligence company Infoblox, the activity has been ongoing since at least August 2022 and involves multiple techniques to compromise devices and monetize them as part of a proxy network. One campaign observed earlier this year involved victims downloading a trojanized version of the popular file archiving software 7 Zip from a deceptive domain named 7zip.com. Once installed, the software quietly enrolled infected devices into an actor controlled residential proxy network.

Researchers found that Lurking Lizard has also impersonated several major proxy providers, including IPIDEA, SmartProxy, now known as Decodo, IP Royal, and 911Proxy. The operation extends beyond fake software downloads and includes fraudulent independent review websites that direct traffic to the group’s own proxy service storefronts. Analysis by Proxyway revealed that more than 773,000 unique IP addresses linked to SmartProxy also appeared in a publicly available IPIDEA dataset containing over 16 million unique IP addresses. This overlap suggests that SmartProxy may have directly resold IPIDEA infrastructure or relied heavily on it as a source of residential IP addresses. Researchers conducting WHOIS analysis and infrastructure fingerprinting believe that Lurking Lizard is likely based in China. The group has also used popular VPN services and platforms such as HeroSMS as decoys to distribute its proxy related malware.

One of the more notable tactics employed by the group involves acquiring expired domains in a process known as drop catching. By purchasing domains that already possess a history and reputation, attackers can exploit existing trust among users. In several cases, the group capitalized on commonly mistyped or incorrectly referenced domain names, such as using 7zip.com instead of the legitimate 7 Zip website. Further investigation of an IPLogger URL embedded in samples associated with the campaign revealed that the same infrastructure had also been used to distribute fake installers for applications including WhatsApp, tools claiming to download content from TikTok and YouTube, and software branded as WireVPN. Researchers described the use of WireVPN branding as the latest phase of the operation, targeting users across Windows, macOS, and Android platforms. An Android application named “wirevpn Fast Unlimited Proxy,” developed by a company called WEILAI NETWORK TECHNOLOGY CO., LIMITED, has reportedly exceeded one million downloads, although researchers said it remains unclear whether those installations were legitimate or artificially inflated.

According to Infoblox, the operation functions through a two stage process in which trojanized applications and other lures first recruit victim devices into a proxy botnet and the resulting infrastructure is then monetized through fake proxy brands and promotional websites. Researchers said the activity illustrates a coordinated ecosystem involving victim acquisition, infrastructure management, marketing, and monetization. The findings also come shortly after Google announced that it had significantly disrupted the NetNut residential proxy network, also known as Popa, which allegedly turned at least two million devices, including smart televisions and streaming devices, into channels for unauthorized internet traffic through malware embedded in software development kits and applications. Google warned that such activity poses serious risks because compromised home internet connections can be used by cybercriminals to launch attacks and other unauthorized operations, potentially causing legitimate users to have their internet traffic flagged as suspicious or blocked by service providers.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.