Coroxy

Coroxy is a multifaceted malware, also known as SystemBC, DroxiDat, or Proxy, that serves as a backdoor and remote access tool (RAT), adapting to the requirements of attackers. It has been associated with the Play ransomware group, and its infection chain includes various tools such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor itself. These tools are hosted on an IP address previously linked to Play ransomware attacks, which further solidifies the connection between Coroxy and this group. Black-box analysis observed the Coroxy backdoor connecting to 45[.]76[.]165[.]129, an IP address that resolves to different domains matching those registered by Prolific Puma. The Coroxy backdoor has been detected establishing connections to the aforementioned IP address, which also houses tools used in previous Play ransomware attacks. This includes PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor itself, as detailed in research by TrendMicro. The fact that different domains resolve to the IP address of the Coroxy backdoor connection suggests a complex network of malicious activities, demonstrating the sophistication of this malware operation. To further validate the link between Coroxy and the Play ransomware group, the same IP address was tested, hosting the Coroxy backdoor. The results confirmed the association, indicating that the groups behind these threats might be related or even the same. In conclusion, Coroxy represents a significant threat due to its multifunctionality and its association with known ransomware groups, making it a critical focus for cybersecurity efforts.