Socks5Systemz Botnet

A proxy botnet known as 'Socks5Systemz' has been quietly infiltrating computers worldwide through the 'PrivateLoader' and 'Amadey' malware loaders. Presently, it has successfully compromised 10,000 devices. This threatening software seizes control of infected computers, transforming them into unwitting conduits for various types of unscrupulous, illicit, or anonymous Internet traffic. The botnet offers this service to subscribers, who can access it for a fee ranging from $1 to $140 per day, paid in cryptocurrency.

Cybersecurity experts have discovered that the Socks5Systemz proxy botnet has been in operation since at least 2016, yet it has managed to evade significant attention, operating in the shadows.

The Socks5Systemz Botnet Establishes Persistence on Infected Systems

The Socks5Systemz botnet is disseminated through the PrivateLoader and the Amadey malware, commonly propagated via various means such as phishing, exploit kits, malvertising, and trojanized executables downloaded from peer-to-peer networks.

The researchers identified botnet samples labeled as 'previewer.exe,' designed to infiltrate the host's memory and establish persistence through a Windows service named 'ContentDWSvc.' The proxy bot payload takes the form of a 300 KB 32-bit DLL. It employs a domain generation algorithm (DGA) system to connect with its Command-and-Control (C2) server and transmit profiling information about the infected machine.

In response, the C2 server can issue one of the following commands for execution:

• 'idle': No action is taken.
•  'connect': Establish a connection to a backconnect server.
•  'disconnect': Sever the connection to the backconnect server.
•  'updips': Update the list of authorized IP addresses for sending traffic.
•  'upduris': This command is not yet implemented.

The 'connect' command is particularly significant, as it directs the bot to create a connection to a backconnect server over port 1074/TCP.

Once connected to the infrastructure controlled by threat actors, the compromised device is transformed into a proxy server that can be marketed to other threat actors. When linking to the backconnect server, it utilizes specific field parameters to ascertain the IP address, proxy password, and a list of restricted ports. These parameters ensure that only bots on the allowed list with the appropriate login credentials can interact with the control servers, effectively thwarting unauthorized attempts.

The Socks5Systemz Botnet is Sold at Several Price Tiers

Just in October 2023, analysts have documented a total of 10,000 unique communication attempts via port 1074/TCP with the identified backconnect servers. These attempts correspond to an equal number of victims. The distribution of these victims is widespread and somewhat random, spanning across the entire globe. However, countries such as India, the United States, Brazil, Colombia, South Africa, Argentina and Nigeria have the highest recorded infection rates.

Access to the Socks5Systemz proxy services is available through two subscription tiers, known as 'Standard' and 'VIP.' Customers make payments through the anonymous payment gateway 'Cryptomus.'

Subscribers are required to specify the IP address from which the proxied traffic originates in order to be included in the bot's allowlist. Standard subscribers are limited to a single thread and one proxy type, while VIP users enjoy the flexibility of using 100 to 5000 threads and can select from SOCKS4, SOCKS5, or HTTP proxy types.

Residential proxy botnets represent a lucrative business with a substantial impact on Internet security and the unauthorized consumption of bandwidth. These services are commonly utilized for purposes such as running shopping bots and circumventing geo-restrictions, making them exceptionally popular.