Socks5Systemz Botnet Infected Thousands of Devices

Researchers from BitSight have unveiled a proxy botnet known as Socks5Systemz, which was delivered via the PrivateLoader and Amadey loaders. The name Socks5Systemz is derived from the consistent login panel found on all the C2 servers. This proxy botnet has been active since at least 2016 but has largely gone unnoticed.

Malicious actors are providing traffic-forwarding proxies for illicit purposes to customers, charging prices ranging from $1 to $140 per day in cryptocurrency.

Examination of network telemetry data indicates that this botnet has infected approximately 10,000 systems, with no infected systems found in Russia.

All the samples scrutinized by experts are distributed by PrivateLoader and Amadey and execute a file named "previewer.exe," which establishes persistence and injects the proxy bot into memory. The loader maintains persistence by creating a Windows service with the name and display name set to "ContentDWSvc."

To evade detection and bolster the botnet's resistance to takedown, the proxy bot utilizes a domain generation algorithm (DGA).

Socks5Systemz Comes Bundled With Communication Commands

The most critical command is the "connect" command, which instructs the bot to establish a session with a backconnect server on port 1074/TCP. This registration with the backconnect infrastructure allows the bot to become part of the available pool of proxies used to transmit traffic on behalf of clients.

After parsing the "connect" command fields, the malware initiates a session with the backconnect server via port 1074/TCP, using a custom binary protocol. Once the session is established, the bot can function as a proxy.

Upon establishing a session with a backconnect server on port 1074/TCP, the bot is assigned a unique TCP port (referred to as the server port) on the server side, opened to receive traffic from clients. Clients must know the backconnect server's IP address, the TCP port assigned to the infected system, and either have their public IP whitelisted or possess the correct login credentials to use the proxy. Without this information, the server will not accept the traffic.

The researchers have identified at least 53 servers used by this botnet, all situated in Europe and spread across France, Bulgaria, Netherlands, and Sweden.

The top 10 most affected countries include India, Brazil, Colombia, South Africa, Bangladesh, Argentina, Angola, the United States, Suriname, and Nigeria.

The threat actors responsible for the Socks5Systemz botnet offer two subscription plans: 'Standard' and 'VIP.' Customers can use the Cryptomus Crypto Payment Gateway at cryptomus.com.