Cyber: Malicious 7-zip Site Distributes Installer Laced With Proxy Tool

A fake 7-Zip website is distributing a trojanized installer of the popular archiving tool that turns the user’s computer into a residential proxy node.

Residential proxy networks use home user devices to route traffic with the goal of evading blocks and performing various malicious activities such as credential stuffing, phishing, and malware distribution.

The new campaign became better known after a user reported that they downloaded a malicious installer from a website impersonating the 7-Zip project while following instructions in a YouTube tutorial on building a PC system. BleepingComputer can confirm that the malicious website, 7zip[.]com, is still live.

The threat actor registered the domain 7zip[.]com (still live at the time of writing) that can easily trick users into thinking they landed on the site of the legitimate tool.

Furthermore, the attacker copied the text and mimicked the structure of the original 7-Zip website located at 7-zip.org.

The installer file was analyzed by researchers at cybersecurity company Malwarebytes, who found that it is digitally signed with a now-revoked certificate originally issued to Jozeal Network Technology Co., Limited.

The malicious copy also contains the 7-Zip program, thus providing the regular functions of the tool. However, the installer drops three malicious files:

These files are placed in the ‘C:\Windows\SysWOW64\hero\’ directory, and an auto-start Windows service running as SYSTEM is created for the two malicious executables.

Additionally, firewall rules are modified using ‘netsh’ to allow the binaries to establish inbound and outbound connections.

Eventually, the host system is profiled with Microsoft's Windows Management Instrumentation (WMI) and Windows APIs to determine the hardware, memory, CPU, disk, and network characteristics. The collected data is then sent to ‘iplogger[.]org.’

Source: BleepingComputer