A proxy botnet identified as 'Socks5Systemz' has been infecting computers across the globe with the 'PrivateLoader' and 'Amadey' malware loaders, with 10,000 infected devices currently.
The malware infects computers and transforms them into traffic-forwarding proxies for malicious, illegal, or concealed traffic. It supplies this service to customers who pay between $1 and $140 per day in cryptocurrency to access it.
Socks5Systemz is detailed in a BitSight report, which clarifies that the proxy botnet has been active since at least 2016, but has remained largely unnoticed until recently.
The Socks5Systemz bot is propagated by the PrivateLoader and Amadey malware, which are frequently distributed through phishing, exploit kits, malvertizing, trojanized executables downloaded from P2P networks, and other techniques.
The BitSight samples are called 'previewer.exe,' and their task is to inject the proxy bot into the host's memory and establish persistence for it through a Windows service called 'ContentDWSvc.'
The payload for the proxy bot is a 300 KB 32-bit DLL. It connects to its command and control (C2) server via a domain generation algorithm (DGA) system and sends profiling information about the infected machine.
In response, the C2 can issue one of the following commands:
- Idle: Take no action.
- connect: Establish a connection to a backconnect server.
- disconnect: This command disconnects you from the backconnect server.
- updips: Update the list of IP addresses authorized to send traffic.
- upduris: Not yet implemented.
The connect command, which instructs the bot to establish a backconnect server connection over port 1074/TCP, is critical.
The infected device can now be used as a proxy server and sold to other threat actors once connected to the threat actors' infrastructure.
It uses fields to figure out the IP address, proxy password, list of blocked ports, and so on when connecting to the backconnect server.
These field parameters ensure that only bots on the allowlist with the required login credentials can connect with the control servers, preventing unauthorised attempts.
Impact of illegal business
A large control infrastructure comprising 53 proxy bot, backconnect, DNS, and address acquisition servers spread largely across France and Europe (Netherlands, Sweden, Bulgaria) was mapped by BitSight.
There are two subscription tiers for Socks5Systemz proxying services: "Standard" and "VIP." Customers can pay for their subscriptions using the anonymous (no KYC) payment gateway "Cryptomus."
In order to be added to the bot's allowlist, subscribers must specify the IP address through which the proxied traffic will originate.
VIP users are able to use 100–5000 threads and describe the proxy type as HTTP, SOCKS4, or SOCKS5, while standard subscribers are restricted to a single thread and proxy type.
Unauthorised bandwidth hijacking and internet security are significantly affected by the profitable business of residential proxy botnets.
These services are very popular because they are often used for circumventing geo-restrictions and shopping bots.
A vast proxy network with over 400,000 nodes was exposed by AT&T analysts in August. Unaware Windows and macOS users were acting as exit nodes in this network, channelling other people's internet traffic.