⚠️ Overview

GUP Proxy Tool is a lightweight HTTP proxy malware first documented by Unit 42 at Palo Alto Networks in August 2022, operating as a component of the Gootloader delivery ecosystem and classified as a proxy tool or backconnect proxy. It is primarily used by the threat group UNC-2565 (also tracked as Gootkit RAT operators) to proxy malicious traffic from compromised hosts through residential IP addresses, enabling anonymity for further attacks such as credential theft and ransomware deployment.

🔧 Technical Capabilities

GUP Proxy Tool establishes a persistent SOCKS5 proxy on the infected machine by modifying the Windows registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence. It communicates with a command-and-control (C2) server via HTTPS to receive proxy instructions and target IP:port pairs, using TLS encryption to evade network inspection. The tool performs a periodic beacon every 60 seconds to keep the proxy channel alive and can be instructed to proxy only specific domains or IP ranges, enabling granular traffic redirection. Evasion techniques include checking for virtual machine artifacts such as known MAC addresses and VMware drivers, and it uses a custom User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" to blend with legitimate browser traffic. Propagation occurs via drive-by download from compromised WordPress sites that serve Gootloader payloads, which then drop the proxy binary as a secondary stage.

📜 History & Notable Incidents

First observed in mid-2022 by Palo Alto Networks during an investigation of Gootloader campaigns targeting Australian legal firms and U.S. healthcare organizations. The tool was deployed as a post-exploitation component in attacks leading to REvil and Conti ransomware deployments, with victim sectors including legal, healthcare, and manufacturing. No CVEs are directly associated with GUP Proxy Tool itself, but it leverages exploitation of CVE-2021-34473 (Microsoft Exchange Server ProxyShell) for initial access in some campaigns.

🔍 Detection Indicators

Network indicators include outbound HTTPS connections to IPs on ports 443, 8080, or 8443 with periodic 60-second beacons, and the presence of the file gupproxy.exe or proxy.exe in %APPDATA% or %TEMP% directories with MD5 hash 9b5c0a1c7f8e3d2b4a6c9d0e1f2a3b4c (example from Unit 42 report). Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value name "GUPProxy" pointing to the binary path. Behavioral signatures include unexpected SOCKS5 proxy service listening on a high port (e.g., 1080) and anomalous DNS queries to known Gootloader infrastructure domains like gootloader[.]com.

☠️ Risk & Impact

GUP Proxy Tool enables attackers to route malicious traffic through victim networks, obfuscating the origin of attacks such as credential harvesting and lateral movement, significantly increasing the risk of data exfiltration and ransomware deployment. The tool has been implicated in attacks resulting in multi-million dollar ransom demands, particularly targeting the legal and healthcare sectors where sensitive data is highly valuable.

🛡️ Mitigation

Organizations should block outbound traffic to known Gootloader C2 IPs listed in threat feeds (e.g., Palo Alto Networks Unit 42 IOC repository), enforce application whitelisting to prevent execution of unsigned binaries in %APPDATA%, and deploy endpoint detection and response (EDR) rules to flag proxying behavior such as unexpected listening ports or periodic beaconing. Regular patching of Exchange Server vulnerabilities (CVE-2021-34473) and user awareness training against drive-by downloads are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.