HQ/EMEAFind out how we can help your business
The previously unreported botnet, Socks5Systemz Proxy Botnet, has infected about 10,000 computer systems worldwide. This botnet has been spreading itself through PrivateLoader and Amadey malware loaders and has been operational since 2016.
In 2023, the Socks5Systemz botnet infiltrated the systems in various countries, including India, Brazil, Colombia, South Africa, Bangladesh, Angola, the United States, and Nigeria.
The attack involves phishing, exploit kits, malvertising, and trojanized executables to distribute the malware loaders. In its latest infection campaign, the attackers employed backconnect servers to establish communication via port 1074/TCP.
The malware operators drop and operate a file named previewer.exe once they install the malware. This method leads to the activation of the botnet. This botnet is a 300 KB 32-bit DLL that employs a Domain Generation Algorithm (DGA) to establish connections with its Command and Control (C2) server and to receive commands for compromising machines.
Once connected to the infrastructure of the threat actors, the infected device becomes a proxy server and is sold to other malicious actors. Based on reports, a user known as ‘boost’ has been allegedly selling access to compromised accounts and proxy services through two subscription tiers on a Telegram channel.
The Socks5Systemz Proxy Botnet has connections to various servers in Europe.
There are at least 53 servers associated with the Socks5Systemz Proxy Botnet. Moreover, all these servers are in Europe and spread across countries like France, Bulgaria, the Netherlands, and Sweden. These servers serve various purposes, including acting as proxy bots, backconnect servers, custom DNS servers, and online proxy checkers.
Proxy botnets are a lucrative enterprise for malicious actors and can have a substantial impact on internet security and bandwidth usage. A couple of months ago, AT&T analysts uncovered an extensive proxy network of over 10,000 IPs used for the Adload malware, which targeted macOS systems.
Therefore, organisations should implement detection tools such as Intrusion Detection Systems, Intrusion Prevention Systems, email security gateways, and firewalls to mitigate endpoint threats and avoid these current threats. They should also study available Indicators of Compromise (IoCs) for this present threat since it could assist in understanding the attack patterns and the primary infrastructures used by the attackers.
