Proxy Virus

Proxy Virus, also known as MITM Proxy Virus, has gained popularity as a form of browser-hijacking software. To propagate this infection, cybercriminals frequently exploit various adware-type applications, often infiltrating computers without user consent. These adware programs are also known to deliver intrusive advertisements and collect browsing-related data.

The initial installation process of adware appears innocuous, but upon installation, users encounter a deceptive pop-up message prompting them to update the Safari web browser. After clicking "OK," users are presented with another pop-up requesting account credentials. This inadvertently grants adware permission to manipulate the Safari browser.

Additionally, rogue installers utilize a 'bash script' to connect to a remote server and download a .zip archive, from which a .plist file is extracted and copied to the LaunchDaemons directory. This .plist file references another file named "Titanium.Web.Proxy.Examples.Basic.Standard." Subsequently, two additional scripts ("change_proxy.sh" and "trush_cert.sh") are executed after the next reboot. The "change_proxy.sh" script alters the system proxy settings to utilize HTTP/S proxy at "localhost:8003," while the "trush_cert.sh" script installs a trusted SSL certificate into the keychain.

The cybercriminals responsible for this infection leverage Titanium Web Proxy, an open-source asynchronous HTTP(S) proxy written in C Sharp (C#). It's a cross-platform proxy, capable of running on various operating systems, including MacOS.

How Does Proxy Virus Work?

The primary objective of this infection is to hijack search engines, enabling cybercriminals to manipulate internet search results. While using a proxy for this purpose is unconventional, cybercriminals typically modify browser settings via browser-hijacking applications to redirect users to specific URLs, often resembling legitimate search engines like Bing, Yahoo, or Google. However, these fake search engines may yield results leading to malicious websites, evident through continuous redirects to dubious sites.

Proxy Virus complicates cybercriminal activities while ensuring reliability. Fake search results are delivered by tampering with legitimate search engine content, providing users with deceptive results even when using authentic search engines like Google.

Such deceptive tactics not only diminish the browsing experience but also pose significant risks, potentially leading to further computer infections and increased traffic to certain websites, facilitating revenue generation through advertising.

The presence of Proxy Virus drastically affects browsing experiences and may lead to further computer infections. Adware-type applications are notorious for delivering advertisements, which, when clicked, can redirect users to malicious websites or trigger the download/installation of other unwanted apps. These ads, often overlaid on website content, further degrade browsing experiences.

Moreover, adware-type applications clandestinely gather sensitive user information, including IP addresses, visited website URLs, search queries, and more, which may be exploited by cybercriminals for monetary gain through misuse of private data.