Proxy services let users rent IP addresses and provide online anonymity by disguising their traffic as regular IP addresses while hiding the true source or origin.
Bitsight researchers recently found a new malware sample distributed by the following two loaders:-
- PrivateLoader
- Amadey Loader
It installs a proxy bot called “Socks5Systemz,” on infected systems, turning them into proxies for others.
.png
)
Besides this, threat actors often use all these loaders to build botnets, and not only that, it’s been reported that the Socks5Systemz breach has led to a hack of over 10,000 systems globally.
10,000+ Systems Hacked
Samples from PrivateLoader and Amadey drop and run “previewer.exe” which handles persistence and injects the proxy bot into memory with three command line options, reads the report.
Here below, we have mentioned those three command line options:-
- /chk: Creates an empty file named “test” in the current directory and exit
- -i: Install loader
- -s: Start loader
The “install” option sets up persistence by copying the loader to C:\ProgramData\ContentDWSvc\ContentDWSvc.exe and creating a Windows service named ContentDWSvc.
If this fails, it replaces GoogleUpdate.exe, and the loader then launches the proxy bot by loading and decrypting a DLL file in memory.
The proxy bot payload is a ‘300 KB’ 32-bit DLL, which starts by saving the filename, setting system architecture, and launching the main function in a new thread.
It generates a client ID from the Windows directory creation date and stores the infection time in C:\ProgramData\ts.dat.
Besides this, from the following address, it downloads a PDF and saves it in the “C:\ProgramData” folder:-
- hxxp://datasheet[.]fun/manual/avon_4_2022.pdf?<client_id>
The downloaded PDF seems unremarkable, likely serving as a telemetry tool. The bot then attempts to locate an online C2 server by computing a domain with a generation algorithm and using DNS servers for resolution.
At the moment, the following commands are supported by the bot:-
- idle: Do nothing
- connect: Connect to a back-connect server
- disconnect: Disconnect from the backconnect server
- updips: Update IP addresses allowed to send traffic
- upduris: This command seems not to be fully implemented
The crucial “connect” command instructs the bot to create a session with a backconnect server on port 1074/TCP. It registers the bot, making it available to forward traffic for clients.
The bot, on port 1074/TCP, gets a unique server port for receiving client traffic. Clients must know the backconnect server’s IP the bot’s assigned TCP port, and have whitelisted IPs or login credentials to use the proxy.
Infrastructure
Here below, we have mentioned all the servers that made up the infrastructure of this botnet network:-
- Proxy bot C2 servers
- Backconnect servers
- Custom DNS servers (hardcoded in the proxy bot samples)
- The server used by the bots to get the online C2 server address
- A proxy checker application
Top Affected Countries
Here below, we have mentioned the top affected countries:-
- India
- Brazil
- Colombia
- South Africa
- Bangladesh
- Argentina
- Angola
- United States
- Suriname
- Nigeria
IOCs
Socks5Systemz proxy bot payload
- fee88318e738b160cae22f6c0f16c634fd16dbf11b9fb93df5d380b6427ac18f
Proxy bot loader payload
- dc262539467bf34e5059686955d6567efadd8e21c76be51eba94737d8c326720
Packed files distributed by Amadey and PrivateLoader
- 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
- 5b45926c91fe46b12dadd3dae6afa2cf76f91a8fed7c3aefdad7f8c1faa03919
- 189af501e84dddc5af3f7a66dcdc5095d22570abad100575ade261698d199bf3
- 2987dc6ea8908c9e80ee5cd15ae4b91d15c48d1d31f7dbc79e01864475f33247
- 3222778fd2f0717284dedbbda7298abf17105881147832e7a1cdbddc24747b0a
- d99188eb6d65ecfeb7586bfb3566766fd1c68f659fbc57c7ce2bf1580452fd69
- eaaf1823c34ea385dc3fa483a071b9a5f6122c8ab347b83da00a887ade466a0b
- d2eafbfcd0dc07d49081b9b8324b549b08eb7aefd87ca6175046a9dd11b1d350
- 5b3b41fcfe12f7bf5f933d8dbd5d881a3c5391ffb0a71fc313ac456afe8d7510
- 2acfc97589dfb9f01a4ad9919b6bd73b38f391343b2e952e7dec8bfb8318bf51
- 09f3fa5267026b2a7a698517d21dec97594cf2623388b13f0091e09ecba85ee9
- 34a818f4223d32179c774e5cc707410d448d4e72fff148c293f453179642c8e6
- 5c52f631330f6099fdf038af2e7fc2bc7956e561fe9db5fbde0e8c1fb1951323
- 99c4c0abd02e05ce83b85184d4f49853674b63d1e402e5068992aabdd35109f8
- 116db67b886d33dc3ce3892471ea70b652539fe3436aefbc6d4771cd72748bf1
- 1ba2ae706f2e9b938f96b1d9baa63e302eb0b93c370d6a9b8c555065f90123dd
- 903ee5d2fb1341754c10acba60faf45fdde7dec94b5c82e3d990a9e7a5a7cd7f
- 8093be2f5aabcfdb73bf1e6a73161e37d2f702868f974387a032d4e0489516ee
- 75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483
- ee5ce35a68761315dc14c27af6cb25128952bbde67a699b5c69cb21081a3bd75
- 9b914a04a6b4acb86915551f54a471fd3fc5edda4f8b948416db38808fa291bf
- 8be1d9004e4ffad4035fa973d6d6508835762adf097a7f4362039b11b5d41122
- 25e34355c90e9b96478a3a316c4b3280f3254e3677bc9c10e8146efbaaf29c39
- 449d46143fac008f3c90ea25156bf2e1f3492c7e55e11a45670b98c076924f34
- 48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65
- 973b44c741b1e12417e6a99a806b519b1fb2a1095d2931c154d10a92fabcb01b
- 65faccff1bd94971f57d4ab74662a11e0de5e9b84c64db56c2290b419c2ad59b
- 759e28b5e743ef6368816dafb62507ba7133cdbb38853e21ff98964aa3c0d454
- 1357aed783ad4b524540bcf99d980eaeac3aa21357b696b32c412ee44b925eab
- ebca811f9da30028f61da7eb4e4d842eec9558a0c0b9e6c172c70095cbc8f4b9
- 37f72d7cc30ac6952775a5972e510e0f2e0163b11ac7dea1e4dc0449dd8e633a
- 3476601196502ae5aacb48ab2a6b0b1089100c0761f563c2cdb86861bc18798d
- 6cccc777cf4eeebb2a17f4d13732f5dfeb0f6dbf50e6b96c743f101c481a44b6
- 8dabf008e15a4822e0a34b1a998ce3522194128dffbab0401320c6fd21fa97df
- c02e920086d41efee570ff2aa367640d63394f1ef86bffb1ced03aafa9bebf4b
- 8458c1237cd94a1446468c7d615df01af8ef3ffc14c1033efeb61118bf4bd3b4
- 3b5d15ed72a7aaf60ee447fade02e82e333e09c84ccd7ceca3b3594702da0c52
- 70b3d99e5a06e20095f2919783b8afd9077e5a9a6aed92236605d69bcf424316
- 2f255e9658e381d9c02499c30dcb07af2c7f5691fd6e5afd8ef35f3d284429f7
- cb346f5850a116273a9a6fc0430d99e2b2d3a1f92a1742242499d67728efba1d
- 779bc4fda3638f8adfba674f096475dc4e663fb45c962b5120b9c285dac87fe2
- 71f6c61bc2314ab899d3e79ffe0cf9434106ae29f760a5e076dbf826a7dfda7e
- 4847e2d370b72b717e85f289bf9daf22a39906fa99cedc8cda584a775ba571fb
- 0cebb8519e93f4177b4ab6d82f59643de9940ac6acdd284c3c1f23019f203120
- ae1b4b92fd179336c88340771c8c16492b6b3f80030735d770dafeef2558861a
- 43ec23f5477e218b33003603458503d469804ab5a05ee97541402a2b7255627a
- 23416440ae258c4a472c5c3c07bf7659190168277f8483dcd84d24fbcb83bbd4
- 78ab98c5b5ead97ff7d245b9603bb5edc4d59d379e492049a3a958a8e48cb945
- 1fa58cb939e9b5d0f7f0d5c78b437f62f182b5d3658e59729fda2f28eb8746da
- 29122127b97c0810a564fe16d87faaa9c931e0e48ecd63271af86385a652baca
- ae9aad29ad8bf58206a14b791b0ab0c842d745495762bf3fe092ce3be1f7fb0e
- dc0cb777651c14ef9e44cad759ce2a9688872e56d241352e23a3ab3443b03f07
- 15f4e20fb7971cbd61a7ba4f6ca0582286ff7ca332c17b7c5eef0c023f40bab0
- 1f8ceb6cd9e01bfe384378c5ea66de52674e188103f5e438a6029680c0b3180f
- 2e00197cd4b002cf65fc588be7c31b0b6c46f320885eddd6b7d71c8d2f98b36b
- 3f321b0d86d3af5f72c328b445c07c9c423b47ee3faa89bd413fdd5486019a0f
- 2d41e76e3200255d7a11e43c6b826bef6a91cabf451c66b3b36d6826cd56fb46
- eb5dfd6a133128a5d2c7183940639ead5e3aa33aa5ba581ce8d91ee113e4931f
- 8466c3b28b913e7e965b083b8a3174fbe12b76ed5e9f7d4d929a51cb660e326b
- b1ed4acd9128d49b5a619e8607cac13b33a8743e717a937c9ee9e6d963375867
- af766ba5f46115470242fa6033f4f4ba85c82b6d5a001ebfee8482e51d793e1d
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
