Botnet

A proxy botnet called ‘Socks5Systemz’ has been infecting computers worldwide via the ‘PrivateLoader’ and ‘Amadey’ malware loaders, currently counting 10,000 infected devices.

The malware infects computers and turns them into traffic-forwarding proxies for malicious, illegal, or anonymous traffic. It sells this service to subscribers who pay between $1 and $140 per day in crypto to access it.

Socks5Systemz is detailed in a report by BitSight that clarifies that the proxy botnet has been around since at least 2016 but has remained relatively under the radar until recently.

Socks5Systemz

The Socks5Systemz bot is distributed by the PrivateLoader and Amadey malware, which are often spread via phishing, exploit kits, malvertizing, trojanized executables downloaded from P2P networks, etc.

The samples seen by BitSight are named ‘previewer.exe,’ and their task is to inject the proxy bot onto the host’s memory and establish persistence for it via a Windows service called ‘ContentDWSvc.’

The proxy bot payload is a 300 KB 32-bit DLL. It uses a domain generation algorithm (DGA) system to connect with its command and control (C2) server and send profiling info on the infected machine.

In response, the C2 can send one of the following commands for execution:

  • idle: Perform no action.
  • connect: Connect to a backconnect server.
  • disconnect: Disconnect from the backconnect server.
  • updips: Update the list of IP addresses authorized to send traffic.
  • upduris: Not implemented yet.

The connect command is crucial, instructing the bot to establish a backconnect server connection over port 1074/TCP.

Once connected to the threat actors’ infrastructure, the infected device can now be used as a proxy server and sold to other threat actors.

Connectivity diagram
Connectivity diagram (BitSight)

When connecting to the backconnect server, it uses fields that determine the IP address, proxy password, list of blocked ports, etc. These field parameters ensure that only bots in the allowlist and with the necessary login credentials can interact with the control servers, blocking unauthorized attempts.

Connect command parameters
Connect command parameters (BitSight)

Illegal business impact

BitSight mapped an extensive control infrastructure of 53 proxy bot, backconnect, DNS, and address acquisition servers located mainly in France and across Europe (Netherlands, Sweden, Bulgaria).

Since the start of October, the analysts recorded 10,000 distinct communication attempts over port 1074/TCP with the identified backconnect servers, indicating an equal number of victims.

The geographic distribution is sparse and random, covering the entire globe, but India, the United States, Brazil, Colombia, South Africa, Argentina, and Nigeria count the most infections.

Victims heatmap
Victims heatmap (BitSight)

Access to Socks5Systemz proxying services is sold in two subscription tiers, namely ‘Standard’ and ‘VIP,’ for which customers pay via the anonymous (no KYC) payment gateway ‘Cryptomus.’

Subscribers must declare the IP address from where the proxied traffic will originate to be added to the bot’s allowlist.

Standard subscribers are limited to a single thread and proxy type, while VIP users can use 100-5000 threads and set the proxy type to SOCKS4, SOCKS5, or HTTP. 

Prices for each service offering are given below.

Subscription cost per plan
Subscription cost per plan (BitSight)

Residential proxy botnets are a lucrative business that has a significant impact on internet security and unauthorized bandwidth hijacking.

These services are commonly used for shopping bots and bypassing geo-restrictions, making them very popular.

In August, AT&T analysts revealed an extensive proxy network comprising over 400,000 nodes, in which unaware Windows and macOS users were serving as exit nodes channeling the internet traffic of others.

Source: www.bleepingcomputer.com