A proxy botnet called Socks5Systemz spreads via malware downloaders to infect computers around the world

13 November 2023 2 minutes Author: Newsman

Global Contagion: Socks5Systemz is spreading worldwide

According to researchers, this botnet has existed since 2016, but was forgotten until recently. Since October, Socks5Systemz has infected about 10,000 systems worldwide, including India, Brazil, Colombia, South Africa, Bangladesh, Angola, the United States, and Nigeria.

Image of action

The attack uses phishing, exploit kits, malicious ads, and Trojan executables to distribute malware downloaders.

During the latest infection, the attacker used a transit server to communicate via port 1074/TCP. Once installed, the malware downloader creates a dump and runs a file called Previewer.exe, eventually launching the botnet.

The botnet, a 300KB 32-bit DLL, uses the DGA system to connect to its C2 server and receive commands to infiltrate the machine. Once connected to the attacker’s infrastructure, the infected device is used as a proxy server and sold to other threats.

A user named “boost” was seen selling access to compromised accounts and access to proxies for two subscription levels on the Telegram channel.

Botnet network

BitSight has mapped at least 53 Socks5Systemz servers, all located in Europe and spread across France, Bulgaria, the Netherlands and Sweden. These servers served as an environment for several purposes such as proxy bot, reverse connection, custom DNS and online proxy verification.

Similar cases were observed in the past

Proxy botnets are a lucrative business for cybercriminals, greatly affecting Internet security and bandwidth theft.

In August, AT&T analysts discovered a sprawling proxy network of more than 10,000 IP addresses for the Adload malware. The analyzed malware sample was used to infect macOS systems.

In a separate case, the FBI warned of a growing trend of cybercriminals using home proxy servers to carry out large-scale spoofing attacks. In this attack, cybercriminals used commonly used passwords to take over victims’ accounts and use them to carry out malicious activities.

Conclusion of the cyber dictator

To stay protected against today’s threats, organizations are encouraged to deploy detection tools such as IDS/IPS, email security gateways, and firewalls to stop endpoint threats. In addition, BitSight shared the IoC for the current threat, which can be used to understand the attack pattern and the infrastructure used.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.