A proxy botnet called 'Socks5Systemz' has been infecting computers worldwide via the 'PrivateLoader' and 'Amadey' malware loaders, currently counting 10,000 infected devices. The malware infects computers and turns them into traffic-forwarding proxies for malicious, illegal, or anonymous traffic. Socks5Systemz is detailed in a report by BitSight that clarifies that the proxy botnet has been around since at least 2016 but has remained relatively under the radar until recently. The Socks5Systemz bot is distributed by the PrivateLoader and Amadey malware, which are often spread via phishing, exploit kits, malvertizing, trojanized executables downloaded from P2P networks, etc. Exe,' and their task is to inject the proxy bot onto the host's memory and establish persistence for it via a Windows service called 'ContentDWSvc. The proxy bot payload is a 300 KB 32-bit DLL. It uses a domain generation algorithm system to connect with its command and control server and send profiling info on the infected machine. The connect command is crucial, instructing the bot to establish a backconnect server connection over port 1074/TCP. Once connected to the threat actors' infrastructure, the infected device can now be used as a proxy server and sold to other threat actors. When connecting to the backconnect server, it uses fields that determine the IP address, proxy password, list of blocked ports, etc. These field parameters ensure that only bots in the allowlist and with the necessary login credentials can interact with the control servers, blocking unauthorized attempts. BitSight mapped an extensive control infrastructure of 53 proxy bot, backconnect, DNS, and address acquisition servers located mainly in France and across Europe. Since the start of October, the analysts recorded 10,000 distinct communication attempts over port 1074/TCP with the identified backconnect servers, indicating an equal number of victims. Access to Socks5Systemz proxying services is sold in two subscription tiers, namely 'Standard' and 'VIP,' for which customers pay via the anonymous payment gateway 'Cryptomus. Subscribers must declare the IP address from where the proxied traffic will originate to be added to the bot's allowlist. Standard subscribers are limited to a single thread and proxy type, while VIP users can use 100-5000 threads and set the proxy type to SOCKS4, SOCKS5, or HTTP. Prices for each service offering are given below. Residential proxy botnets are a lucrative business that has a significant impact on internet security and unauthorized bandwidth hijacking. These services are commonly used for shopping bots and bypassing geo-restrictions, making them very popular. In August, AT&T analysts revealed an extensive proxy network comprising over 400,000 nodes, in which unaware Windows and macOS users were serving as exit nodes channeling the internet traffic of others. Qakbot botnet dismantled after infecting over 700,000 computers. P2PInfect botnet activity surges 600x with stealthier malware variants. Mirai variant infects low-cost Android TV boxes for DDoS attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000