Socks5Systemz Proxy Botnet Infects Around 10,000 Systems Worldwide

A previously undocumented proxy botnet called Socks5Systemz is being distributed via PrivateLoader and Amadey malware loaders to infect computers worldwide. According to researchers, the botnet has been around since 2016 but remained under the radar only to be discovered recently.

Since October, Socks5Systemz has infected approximately 10,000 systems across the globe, including India, Brazil, Colombia, South Africa, Bangladesh, Angola, the U.S., and Nigeria.

Modus operandi
The attack leverages phishing, exploit kits, malvertising, and trojanized executables to distribute the malware loaders.
As part of the latest infection, the attackers had used backconnect servers to communicate with port 1074/TCP.
Once installed, the malware loaders drop and execute a file named previewer.exe, which ultimately causes the execution of the botnet.
The botnet, a 300 KB 32-bit DLL, uses a DGA system to connect with its C2 server and receive commands to compromise machines.
Once connected to the threat actors’ infrastructure, the infected device is used as a proxy server and sold to other threat actors.
A user called ‘boost’ was spotted selling access to compromised accounts and access to proxies under two subscription tiers on a Telegram channel.

The botnet network
BitSight mapped at least 53 servers of Socks5Systemz, all located in Europe and distributed across France, Bulgaria, Netherlands, and Sweden.
These servers served as a medium for several purposes, such as proxy bot, backconnect, custom DNS, and proxy check online.

Similar incidents observed in the past
Proxy botnets are a lucrative business for cybercriminals, leaving a significant impact on internet security and bandwidth hijacking.
In August, AT&T analysts revealed an extensive proxy network of over 10,000 IPs for the Adload malware. The malware sample analyzed was used to infect macOS systems.
In another incident, the FBI warned of a rising trend of cybercriminals using residential proxies to conduct large-scale credential-stuffing attacks. As part of the attack, cybercriminals took advantage of commonly used passwords to take over victims’ accounts and used them to perform malicious activities.

Conclusion
To stay protected from the current threat, organizations are recommended to deploy detection tools, such as IDS/IPS, email security gateways, and firewalls, to thwart threats at endpoints. Additionally, BitSight has shared IoCs for the current threat, which can be used to understand the attack pattern and infrastructures used.