Malwarebytes has issued a warning about a trojanized version of 7-Zip, a widely used file compression tool, which is quietly turning infected home computers into proxy nodes. The malware, which originates from a compromised 7-Zip installer downloaded from 7zip[.]com, operates like the legitimate 7-Zip program but also stealthily installs additional malicious payloads.
How Trojanized 7-Zip Spreads and Acts
The trojanized installer’s main function is to turn infected systems into residential proxy nodes, allowing third parties to route internet traffic through victims’ IP addresses. The malware is equipped with various detection-evading techniques, such as checking for analysis tools before executing.
According to Stefan Dasic, Manager of Research and Response at Malwarebytes, any system that has installed software from 7zip[.]com should be considered compromised. Malwarebytes found that the software was linked to proxyware operations, including references to well-known platforms like Hola VPN, TikTok, WhatsApp, and Wire.
Avoiding Trojanized Downloads
The incident came to light after a Reddit user shared their experience of being infected after downloading the compromised version of 7-Zip from the malicious website. The user had clicked on a link from a YouTube tutorial, where the website 7zip.com was mistakenly referenced instead of the legitimate 7-zip.org domain.
Dasic highlighted the risks posed by YouTube tutorials, which can inadvertently lead users to malicious sites due to small errors in otherwise trustworthy content. He urged users to verify software sources, use official domains, and be cautious about unexpected code-signing identities.
Tips for Enterprise Defenders
For enterprise defenders, it’s essential to monitor systems for unauthorized Windows services, detect changes in firewall rules, and block known Command-and-Control (C2) domains and proxy endpoints at the network perimeter to prevent similar infections.
