November 5, 2023 at 10:40AM
A proxy botnet known as ‘Socks5Systemz’ is infecting computers worldwide through malware loaders. It has infected 10,000 devices so far. The malware turns infected computers into traffic-forwarding proxies for malicious or anonymous traffic, which it sells to subscribers for a fee ranging from $1 to $140 per day in cryptocurrency. The botnet has been active since at least 2016 but recently gained more attention. The infected devices can be used as proxy servers and are distributed globally, with high infection rates in countries like India, the United States, Brazil, and Nigeria. The proxying services are sold in ‘Standard’ and ‘VIP’ subscription tiers, offering different features and pricing. Proxy botnets pose a threat to internet security and can be used for various purposes, including bypassing geo-restrictions.
Key Takeaways from Meeting Notes:
1. A proxy botnet named ‘Socks5Systemz’ has infected 10,000 devices globally using the ‘PrivateLoader’ and ‘Amadey’ malware loaders.
2. The infected devices are turned into traffic-forwarding proxies for malicious or illegal activities and are sold as a service to subscribers who pay in crypto.
3. Socks5Systemz has been active since at least 2016 but has recently gained more attention.
4. The malware is distributed via phishing, exploit kits, malvertizing, trojanized executables, etc.
5. The proxy bot payload is a 300 KB DLL that connects with a command and control (C2) server using a domain generation algorithm.
6. The C2 server can send commands for the bot to execute, including idle, connect, disconnect, updips, and upduris.
7. The connect command allows the bot to establish a backconnect server connection over port 1074/TCP.
8. The infected devices can be used as proxy servers and are sold to other threat actors.
9. The control infrastructure of Socks5Systemz includes 53 servers located mostly in France and across Europe.
10. There have been 10,000 communication attempts with the backconnect servers, indicating an equal number of victims globally.
11. The most infected countries are India, United States, Brazil, Colombia, South Africa, Argentina, and Nigeria.
12. Access to Socks5Systemz proxying services is sold in two subscription tiers: Standard and VIP, with varying thread numbers and proxy types.
13. The payment is made through the anonymous payment gateway ‘Cryptomus.’
14. Residential proxy botnets are a lucrative business with a significant impact on internet security and bandwidth hijacking.
15. In a previous case, over 400,000 nodes were part of a proxy network involving unwitting Windows and macOS users.
These are the key points from the meeting notes. Is there anything specific you would like me to focus on or clarify further?