Thursday, November 30, 2023

Socks5Systemz Proxy Hacked 10,000+ Systems World Wide

Proxy services let users rent IP addresses and provide online anonymity by disguising their traffic as regular IP addresses while hiding the true source or origin.

Bitsight researchers recently found a new malware sample distributed by the following two loaders:-

  • PrivateLoader
  • Amadey Loader 

It installs a proxy bot called “Socks5Systemz,” on infected systems, turning them into proxies for others.

Document
FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

Besides this, threat actors often use all these loaders to build botnets, and not only that, it’s been reported that the Socks5Systemz breach has led to a hack of over 10,000 systems globally.

Socks5Systemz Login page (Source - Bitsight)
Socks5Systemz Login page (Source – Bitsight)

10,000+ Systems Hacked

Samples from PrivateLoader and Amadey drop and run “previewer.exe” which handles persistence and injects the proxy bot into memory with three command line options, reads the report.

Here below, we have mentioned those three command line options:-

  • /chk: Creates an empty file named “test” in the current directory and exit
  • -i: Install loader
  • -s: Start loader

The “install” option sets up persistence by copying the loader to C:\ProgramData\ContentDWSvc\ContentDWSvc.exe and creating a Windows service named ContentDWSvc. 

If this fails, it replaces GoogleUpdate.exe, and the loader then launches the proxy bot by loading and decrypting a DLL file in memory.

The proxy bot payload is a ‘300 KB’ 32-bit DLL, which starts by saving the filename, setting system architecture, and launching the main function in a new thread. 

It generates a client ID from the Windows directory creation date and stores the infection time in C:\ProgramData\ts.dat. 

Besides this, from the following address, it downloads a PDF and saves it in the “C:\ProgramData” folder:-

  • hxxp://datasheet[.]fun/manual/avon_4_2022.pdf?<client_id>
Downloading PDF (Source - Bitsight)
Downloading PDF (Source – Bitsight)

The downloaded PDF seems unremarkable, likely serving as a telemetry tool. The bot then attempts to locate an online C2 server by computing a domain with a generation algorithm and using DNS servers for resolution.

At the moment, the following commands are supported by the bot:-

  • idle: Do nothing
  • connect: Connect to a back-connect server
  • disconnect: Disconnect from the backconnect server
  • updips: Update IP addresses allowed to send traffic
  • upduris: This command seems not to be fully implemented

The crucial “connect” command instructs the bot to create a session with a backconnect server on port 1074/TCP. It registers the bot, making it available to forward traffic for clients.

Bot receiving a connect command (Source - Bitsight)
Bot receiving a connect command (Source – Bitsight)

The bot, on port 1074/TCP, gets a unique server port for receiving client traffic. Clients must know the backconnect server’s IP the bot’s assigned TCP port, and have whitelisted IPs or login credentials to use the proxy.

Overview of how the clients can use the proxies (Source - Bitsight)
Overview of how the clients can use the proxies (Source – Bitsight)

Infrastructure

Here below, we have mentioned all the servers that made up the infrastructure of this botnet network:-

  • Proxy bot C2 servers
  • Backconnect servers
  • Custom DNS servers (hardcoded in the proxy bot samples)
  • The server used by the bots to get the online C2 server address
  • A proxy checker application

Top Affected Countries

Here below, we have mentioned the top affected countries:-

  • India
  • Brazil
  • Colombia
  • South Africa
  • Bangladesh
  • Argentina
  • Angola
  • United States
  • Suriname
  • Nigeria

IOCs

Socks5Systemz proxy bot payload

  • fee88318e738b160cae22f6c0f16c634fd16dbf11b9fb93df5d380b6427ac18f

Proxy bot loader payload

  • dc262539467bf34e5059686955d6567efadd8e21c76be51eba94737d8c326720

Packed files distributed by Amadey and PrivateLoader

  • 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
  • 5b45926c91fe46b12dadd3dae6afa2cf76f91a8fed7c3aefdad7f8c1faa03919
  • 189af501e84dddc5af3f7a66dcdc5095d22570abad100575ade261698d199bf3
  • 2987dc6ea8908c9e80ee5cd15ae4b91d15c48d1d31f7dbc79e01864475f33247
  • 3222778fd2f0717284dedbbda7298abf17105881147832e7a1cdbddc24747b0a
  • d99188eb6d65ecfeb7586bfb3566766fd1c68f659fbc57c7ce2bf1580452fd69
  • eaaf1823c34ea385dc3fa483a071b9a5f6122c8ab347b83da00a887ade466a0b
  • d2eafbfcd0dc07d49081b9b8324b549b08eb7aefd87ca6175046a9dd11b1d350
  • 5b3b41fcfe12f7bf5f933d8dbd5d881a3c5391ffb0a71fc313ac456afe8d7510
  • 2acfc97589dfb9f01a4ad9919b6bd73b38f391343b2e952e7dec8bfb8318bf51
  • 09f3fa5267026b2a7a698517d21dec97594cf2623388b13f0091e09ecba85ee9
  • 34a818f4223d32179c774e5cc707410d448d4e72fff148c293f453179642c8e6
  • 5c52f631330f6099fdf038af2e7fc2bc7956e561fe9db5fbde0e8c1fb1951323
  • 99c4c0abd02e05ce83b85184d4f49853674b63d1e402e5068992aabdd35109f8
  • 116db67b886d33dc3ce3892471ea70b652539fe3436aefbc6d4771cd72748bf1
  • 1ba2ae706f2e9b938f96b1d9baa63e302eb0b93c370d6a9b8c555065f90123dd
  • 903ee5d2fb1341754c10acba60faf45fdde7dec94b5c82e3d990a9e7a5a7cd7f
  • 8093be2f5aabcfdb73bf1e6a73161e37d2f702868f974387a032d4e0489516ee
  • 75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483
  • ee5ce35a68761315dc14c27af6cb25128952bbde67a699b5c69cb21081a3bd75
  • 9b914a04a6b4acb86915551f54a471fd3fc5edda4f8b948416db38808fa291bf
  • 8be1d9004e4ffad4035fa973d6d6508835762adf097a7f4362039b11b5d41122
  • 25e34355c90e9b96478a3a316c4b3280f3254e3677bc9c10e8146efbaaf29c39
  • 449d46143fac008f3c90ea25156bf2e1f3492c7e55e11a45670b98c076924f34
  • 48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65
  • 973b44c741b1e12417e6a99a806b519b1fb2a1095d2931c154d10a92fabcb01b
  • 65faccff1bd94971f57d4ab74662a11e0de5e9b84c64db56c2290b419c2ad59b
  • 759e28b5e743ef6368816dafb62507ba7133cdbb38853e21ff98964aa3c0d454
  • 1357aed783ad4b524540bcf99d980eaeac3aa21357b696b32c412ee44b925eab
  • ebca811f9da30028f61da7eb4e4d842eec9558a0c0b9e6c172c70095cbc8f4b9
  • 37f72d7cc30ac6952775a5972e510e0f2e0163b11ac7dea1e4dc0449dd8e633a
  • 3476601196502ae5aacb48ab2a6b0b1089100c0761f563c2cdb86861bc18798d
  • 6cccc777cf4eeebb2a17f4d13732f5dfeb0f6dbf50e6b96c743f101c481a44b6
  • 8dabf008e15a4822e0a34b1a998ce3522194128dffbab0401320c6fd21fa97df
  • c02e920086d41efee570ff2aa367640d63394f1ef86bffb1ced03aafa9bebf4b
  • 8458c1237cd94a1446468c7d615df01af8ef3ffc14c1033efeb61118bf4bd3b4
  • 3b5d15ed72a7aaf60ee447fade02e82e333e09c84ccd7ceca3b3594702da0c52
  • 70b3d99e5a06e20095f2919783b8afd9077e5a9a6aed92236605d69bcf424316
  • 2f255e9658e381d9c02499c30dcb07af2c7f5691fd6e5afd8ef35f3d284429f7
  • cb346f5850a116273a9a6fc0430d99e2b2d3a1f92a1742242499d67728efba1d
  • 779bc4fda3638f8adfba674f096475dc4e663fb45c962b5120b9c285dac87fe2
  • 71f6c61bc2314ab899d3e79ffe0cf9434106ae29f760a5e076dbf826a7dfda7e
  • 4847e2d370b72b717e85f289bf9daf22a39906fa99cedc8cda584a775ba571fb
  • 0cebb8519e93f4177b4ab6d82f59643de9940ac6acdd284c3c1f23019f203120
  • ae1b4b92fd179336c88340771c8c16492b6b3f80030735d770dafeef2558861a
  • 43ec23f5477e218b33003603458503d469804ab5a05ee97541402a2b7255627a
  • 23416440ae258c4a472c5c3c07bf7659190168277f8483dcd84d24fbcb83bbd4
  • 78ab98c5b5ead97ff7d245b9603bb5edc4d59d379e492049a3a958a8e48cb945
  • 1fa58cb939e9b5d0f7f0d5c78b437f62f182b5d3658e59729fda2f28eb8746da
  • 29122127b97c0810a564fe16d87faaa9c931e0e48ecd63271af86385a652baca
  • ae9aad29ad8bf58206a14b791b0ab0c842d745495762bf3fe092ce3be1f7fb0e
  • dc0cb777651c14ef9e44cad759ce2a9688872e56d241352e23a3ab3443b03f07
  • 15f4e20fb7971cbd61a7ba4f6ca0582286ff7ca332c17b7c5eef0c023f40bab0
  • 1f8ceb6cd9e01bfe384378c5ea66de52674e188103f5e438a6029680c0b3180f
  • 2e00197cd4b002cf65fc588be7c31b0b6c46f320885eddd6b7d71c8d2f98b36b
  • 3f321b0d86d3af5f72c328b445c07c9c423b47ee3faa89bd413fdd5486019a0f
  • 2d41e76e3200255d7a11e43c6b826bef6a91cabf451c66b3b36d6826cd56fb46
  • eb5dfd6a133128a5d2c7183940639ead5e3aa33aa5ba581ce8d91ee113e4931f
  • 8466c3b28b913e7e965b083b8a3174fbe12b76ed5e9f7d4d929a51cb660e326b
  • b1ed4acd9128d49b5a619e8607cac13b33a8743e717a937c9ee9e6d963375867
  • af766ba5f46115470242fa6033f4f4ba85c82b6d5a001ebfee8482e51d793e1d

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Website

Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles