UpStage Proxy, a sophisticated malware strain, is being distributed through a fake 7zip installer. This fake installer, which mimics the legitimate 7zip software, exploits unsuspecting users by using a misleading certificate to appear trustworthy.
Upon installation, the malware opens a backdoor, granting remote attackers full control over the infected system, turning it into a residential proxy that can be used for malicious purposes. The incident represents a growing trend of exploiting software download platforms to distribute malware.
How the Fake 7zip Installer Works
The attack begins when a user downloads the installer from a fake 7zip website, 7zip[.]com, which appears legitimate but is actually controlled by cybercriminals. The fake installer is signed with a revoked certificate issued to “JOZEAL NETWORK TECHNOLOGY CO., LIMITED”, which has since been flagged as suspicious. Despite the certificate’s credibility, it does not protect the user from the malware’s payload.
Once executed, the installer drops several malicious files on the system:
- 7zfm.exe: A disguised executable that masquerades as the legitimate 7zip installer.
- upHreo.exe, hero.exe, hero.dll: Payload components that activate the malware and establish persistent access on the infected machine.
These components work together to exploit system privileges and establish remote access for the attacker. The upHreo.exe file opens a port using netsh (a Windows command-line utility), disabling the firewall, and ensuring that the malware can connect to external Command-and-Control (C2) servers without interference.
The Proxy Mechanism and Command-and-Control Communication
The malicious files also enable the malware to turn the infected system into a residential proxy. By hijacking system resources and routing network traffic through the infected machine, the attacker can use the system to conduct malicious activities without raising suspicion.
This proxy functionality can be abused for various purposes, including anonymizing cyberattacks, data scraping, and malicious traffic routing.
In addition to the proxy capabilities, the malware uses XOR encryption to hide C2 communications. This helps prevent detection by security tools and makes it harder for defenders to identify malicious traffic patterns.
The malware connects to the C2 servers to receive commands, which include file exfiltration, data collection, and system manipulation.
The attackers also maintain control over the victim’s machine for extended periods, ensuring that the malware persists through reboots by installing it as a system service. It uses PowerShell scripts to maintain its foothold, creating multiple persistence mechanisms to avoid detection.
Indicators of Compromise (IoCs)
Below are the IoCs related to this attack, which can be used to track the malware’s presence on compromised systems:
| Category | Indicator | Details / Notes |
|---|---|---|
| URL | https://update.7zip[.]cloud/7zipInstall.exe | Trojanized installer distribution URL |
| URL | https://gg[.]afn360[.]com/client_v1/config/http | Config endpoint observed in hero.dll strings |
| Domain | soc[.]hero-sms[.]co | Config / control domain |
| Domain | neo[.]herosms[.]co | Config / control domain |
| Domain | flux[.]smshero[.]co | Config / control domain |
| Domain | nova[.]smshero[.]ai | Config / control domain |
| Domain | zest[.]hero-sms[.]ai | Config / control domain |
| Domain | apex[.]herosms[.]ai | Config / control domain |
| Domain | mint[.]smshero[.]com | Config / control domain |
| Domain | vivid[.]smshero[.]vip | Config / control domain |
| Domain | spark[.]herosms[.]io | Config / control domain |
| Domain | prime[.]herosms[.]vip | Config / control domain |
| Domain | glide[.]smshero[.]cc | Config / control domain |
| Domain | pulse[.]herosms[.]cc | Config / control domain |
| IP:Port | 79[.]127[.]221[.]47:1000 | Tunnel / proxy endpoint |
| IP:Port | 84[.]17[.]37[.]1:1002 | Alternate tunnel / proxy endpoint |
| IP:Port | 89[.]187[.]169[.]66:1000 | Tunnel / proxy endpoint |
| IP:Port | 138[.]199[.]12[.]70:1000 | Tunnel / proxy endpoint |
| IP:Port | 156[.]146[.]44[.]213:1002 | Tunnel / proxy endpoint |
| IP:Port | 195[.]181[.]170[.]79:1000 | Tunnel / proxy endpoint |
| IP:Port | 195[.]181[.]175[.]120:10000 | Tunnel / proxy endpoint |
| IP:Port | 43[.]243[.]170[.]20:1000 | Tunnel / proxy endpoint |
| IP:Port | 79[.]127[.]221[.]41:1000 | Tunnel / proxy endpoint |
| IP:Port | 79[.]127[.]221[.]56:1000 | Tunnel / proxy endpoint |
| IP:Port | 79[.]127[.]241[.]51:1000 | Tunnel / proxy endpoint |
| IP:Port | 95[.]173[.]197[.]212:1002 | Tunnel / proxy endpoint |
| IP:Port | 89[.]187[.]169[.]66:1000 | Tunnel / proxy endpoint |
| IP:Port | 84[.]17[.]56[.]88:1002 | Tunnel / proxy endpoint |
| File (SHA256) | 7zipInstall.exe | 63396fa92aa010e543e21cd8cb1bcccc |
| File (SHA256) | 7zfm.exe | 2009b69852a9b20bbbe85061e1ef9186 |
| File (SHA256) | hero.exe | e2022cedcea9b5ea81764996732a9880 |
| File (SHA256) | hero.dll | ddf75cc7e322d75de77b17c8ec887975 |
| File (SHA256) | uphero.exe | c4edf28177e72d1bfc482cf4d05a156b |
| Certificate Signer | JOZEAL NETWORK TECHNOLOGY CO., LIMITED | EV Code Signing (GlobalSign), observed on related files |
Source: blog.lukeacha.com
Detection and Mitigation
Detection of this malware can be achieved by monitoring for unusual network traffic, particularly outbound traffic on port 8080 to suspicious IP addresses. Additionally, file integrity checks and hash matching against known malicious files such as 7zfm.exe can help identify infected machines.
Organizations should also ensure that users only download software from official sources. Implementing application whitelisting and using advanced endpoint protection solutions can prevent the installation of unauthorized applications. Furthermore, regular security patching and user awareness campaigns can help mitigate the risk of falling victim to similar attacks in the future.
Conclusion
The fake 7zip installer distributing UpStage Proxy represents a growing trend in the exploitation of trusted software platforms for cybercriminal purposes. By turning compromised systems into proxies and using encryption to hide C2 communications, the malware demonstrates the advanced capabilities of modern cyberattacks. Security professionals must be vigilant, regularly monitor network traffic, and employ robust security measures to protect against these types of attacks.
Read the detailed blog here.
No Comment! Be the first one.