According to researchers, this botnet has existed since 2016, but was forgotten until recently. Since October, Socks5Systemz has infected about 10,000 systems worldwide, including India, Brazil, Colombia, South Africa, Bangladesh, Angola, the United States, and Nigeria.
The attack uses phishing, exploit kits, malicious ads, and Trojan executables to distribute malware downloaders.
During the latest infection, the attacker used a transit server to communicate via port 1074/TCP. Once installed, the malware downloader creates a dump and runs a file called Previewer.exe, eventually launching the botnet.
The botnet, a 300KB 32-bit DLL, uses the DGA system to connect to its C2 server and receive commands to infiltrate the machine. Once connected to the attacker’s infrastructure, the infected device is used as a proxy server and sold to other threats.
A user named “boost” was seen selling access to compromised accounts and access to proxies for two subscription levels on the Telegram channel.
BitSight has mapped at least 53 Socks5Systemz servers, all located in Europe and spread across France, Bulgaria, the Netherlands and Sweden. These servers served as an environment for several purposes such as proxy bot, reverse connection, custom DNS and online proxy verification.
Proxy botnets are a lucrative business for cybercriminals, greatly affecting Internet security and bandwidth theft.
In August, AT&T analysts discovered a sprawling proxy network of more than 10,000 IP addresses for the Adload malware. The analyzed malware sample was used to infect macOS systems.
In a separate case, the FBI warned of a growing trend of cybercriminals using home proxy servers to carry out large-scale spoofing attacks. In this attack, cybercriminals used commonly used passwords to take over victims’ accounts and use them to carry out malicious activities.
To stay protected against today’s threats, organizations are encouraged to deploy detection tools such as IDS/IPS, email security gateways, and firewalls to stop endpoint threats. In addition, BitSight shared the IoC for the current threat, which can be used to understand the attack pattern and the infrastructure used.