Pierluigi Paganini
November 06, 2023
Bitsight researchers uncovered a proxy botnet delivered, tracked as Socks5Systemz, which was delivered by PrivateLoader and Amadey loaders. The name Socks5Systemz comes from the name of the unique login panel consistently present in all the C2 servers. The proxy botnet has been active since at least 2016 but has remained under the radar.
Threat actors offer traffic-forwarding proxies for malicious activities to subscribers for a price between $1 and $140 per day in cryptocurrency.
The analysis of network telemetry data revealed that this botnet has approximately 10,000 infected systems; however, no infected systems were discovered in Russia.
All the samples analyzed by the experts are delivered by PrivateLoader and Amadey and executed a file named previewer.exe, which sets up the persistence and injects the proxy bot into memory
The loader maintains persistence by creating a Windows service to run the loader with both the name and display name set to ContentDWSvc.
The proxy bot relies on a domain generation algorithm (DGA) to evade detection and enhance the botnet’s resilience to takedown.
The malware currently supports the following commands:
| Bot Command | Description |
|---|---|
| idle | Do nothing |
| connect | Connect to a backconnect server |
| disconnect | Disconnect from the backconnect server |
| updips | Update IP addresses allowed to send traffic |
| upduris | This command seems to not be fully implemented |
“The most important command is the connect command that tells the bot to establish a session with a backconnect server over port 1074/TCP.” reads the analysis published by Bitsight. “This command registers the bot with the backconnect infrastructure and makes it part of the pool of available proxies that can be used to send traffic on behalf of clients.
Once all the connect command fields are parsed, the malware initiates a session with the backconnect server via port 1074/TCP, utilizing a custom binary protocol. Once the session has been established, the bot can serve as a proxy.
“When the bot establishes a session with a backconnect server through port 1074/TCP, it’s assigned a unique TCP port (referred to as the server port) on the server side. This designated port is opened to receive traffic from clients.” continues the report. “To use the proxy, clients need to know the backconnect server’s IP address, the TCP port assigned to the infected system, and either have their public IP whitelisted or possess the appropriate login credentials. Without this information, the server will not accept the traffic.”
The researchers identified at least 53 servers used by this botnet, all located in Europe and distributed across France, Bulgaria, Netherlands, and Sweden.
The top 10 most affected countries are India, Brasil, Colombia, South Africa, Bangladesh, Argentina, Angola, the United States, Suriname, and Nigeria.
Threat actors behind the Socks5Systemz botnet are offering two subscription plans, ‘Standard’ and ‘VIP.’ Customers can the Cryptomus Crypto Payment Gateway (cryptomus[.]com).
Below are the two subscription options:
| Threads/Period | 1 day | 7 days | 1 month | 3 months |
|---|---|---|---|---|
| Single thread | $1 USD | $5.1 USD | $10.3 USD | $28 USD |
| Threads/Period | 1 day | 5 day | 10 day | 1 month | 3 months |
|---|---|---|---|---|---|
| 100 threads | $22 USD | $60 USD | $100 USD | $175 USD | $450 USD |
| 300 threads | $28 USD | $68 USD | $112 USD | $200 USD | $500 USD |
| 500 threads | $35 USD | $90 USD | $150 USD | $300 USD | $740 USD |
| 1000 threads | $42 USD | $120 USD | $200 USD | $400 USD | $1000 USD |
| 5000 threads | $140 USD | $420 USD | $700 USD | $1500 USD | $4000 USD |
Standard plan allows customers to use a single thread and proxy type, while VIP users can use 100-5000 threads and set the proxy type to SOCKS4, SOCKS5, or HTTP.
The experts also shared indicators of compromise (IoCs) for this proxy botnet.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Socks5Systemz)
