Proxy services let users rent IP addresses and provide online anonymity by disguising their traffic as regular IP addresses while hiding the true source or origin.

Bitsight researchers recently found a new malware sample distributed by the following two loaders:-

• PrivateLoader
• Amadey Loader 

It installs a proxy bot called “Socks5Systemz,” on infected systems, turning them into proxies for others.

Besides this, threat actors often use all these loaders to build botnets, and not only that, it’s been reported that the Socks5Systemz breach has led to a hack of over 10,000 systems globally.

10,000+ Systems Hacked

Samples from PrivateLoader and Amadey drop and run “previewer.exe” which handles persistence and injects the proxy bot into memory with three command line options, reads the report.

Here below, we have mentioned those three command line options:-

• /chk: Creates an empty file named “test” in the current directory and exit
• -i: Install loader
• -s: Start loader

The “install” option sets up persistence by copying the loader to C:\ProgramData\ContentDWSvc\ContentDWSvc.exe and creating a Windows service named ContentDWSvc. 

If this fails, it replaces GoogleUpdate.exe, and the loader then launches the proxy bot by loading and decrypting a DLL file in memory.

The proxy bot payload is a ‘300 KB’ 32-bit DLL, which starts by saving the filename, setting system architecture, and launching the main function in a new thread. 

It generates a client ID from the Windows directory creation date and stores the infection time in C:\ProgramData\ts.dat. 

Besides this, from the following address, it downloads a PDF and saves it in the “C:\ProgramData” folder:-

• hxxp://datasheet[.]fun/manual/avon_4_2022.pdf?<client_id>

The downloaded PDF seems unremarkable, likely serving as a telemetry tool. The bot then attempts to locate an online C2 server by computing a domain with a generation algorithm and using DNS servers for resolution.

At the moment, the following commands are supported by the bot:-

• idle: Do nothing
• connect: Connect to a back-connect server
• disconnect: Disconnect from the backconnect server
• updips: Update IP addresses allowed to send traffic
• upduris: This command seems not to be fully implemented

The crucial “connect” command instructs the bot to create a session with a backconnect server on port 1074/TCP. It registers the bot, making it available to forward traffic for clients.

The bot, on port 1074/TCP, gets a unique server port for receiving client traffic. Clients must know the backconnect server’s IP the bot’s assigned TCP port, and have whitelisted IPs or login credentials to use the proxy.

Infrastructure

Here below, we have mentioned all the servers that made up the infrastructure of this botnet network:-

• Proxy bot C2 servers
• Backconnect servers
• Custom DNS servers (hardcoded in the proxy bot samples)
• The server used by the bots to get the online C2 server address
• A proxy checker application

Top Affected Countries

Here below, we have mentioned the top affected countries:-

• India
• Brazil
• Colombia
• South Africa
• Bangladesh
• Argentina
• Angola
• United States
• Suriname
• Nigeria

IOCs

Socks5Systemz proxy bot payload

• fee88318e738b160cae22f6c0f16c634fd16dbf11b9fb93df5d380b6427ac18f

Proxy bot loader payload

• dc262539467bf34e5059686955d6567efadd8e21c76be51eba94737d8c326720

Packed files distributed by Amadey and PrivateLoader

• 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
• 5b45926c91fe46b12dadd3dae6afa2cf76f91a8fed7c3aefdad7f8c1faa03919
• 189af501e84dddc5af3f7a66dcdc5095d22570abad100575ade261698d199bf3
• 2987dc6ea8908c9e80ee5cd15ae4b91d15c48d1d31f7dbc79e01864475f33247
• 3222778fd2f0717284dedbbda7298abf17105881147832e7a1cdbddc24747b0a
• d99188eb6d65ecfeb7586bfb3566766fd1c68f659fbc57c7ce2bf1580452fd69
• eaaf1823c34ea385dc3fa483a071b9a5f6122c8ab347b83da00a887ade466a0b
• d2eafbfcd0dc07d49081b9b8324b549b08eb7aefd87ca6175046a9dd11b1d350
• 5b3b41fcfe12f7bf5f933d8dbd5d881a3c5391ffb0a71fc313ac456afe8d7510
• 2acfc97589dfb9f01a4ad9919b6bd73b38f391343b2e952e7dec8bfb8318bf51
• 09f3fa5267026b2a7a698517d21dec97594cf2623388b13f0091e09ecba85ee9
• 34a818f4223d32179c774e5cc707410d448d4e72fff148c293f453179642c8e6
• 5c52f631330f6099fdf038af2e7fc2bc7956e561fe9db5fbde0e8c1fb1951323
• 99c4c0abd02e05ce83b85184d4f49853674b63d1e402e5068992aabdd35109f8
• 116db67b886d33dc3ce3892471ea70b652539fe3436aefbc6d4771cd72748bf1
• 1ba2ae706f2e9b938f96b1d9baa63e302eb0b93c370d6a9b8c555065f90123dd
• 903ee5d2fb1341754c10acba60faf45fdde7dec94b5c82e3d990a9e7a5a7cd7f
• 8093be2f5aabcfdb73bf1e6a73161e37d2f702868f974387a032d4e0489516ee
• 75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483
• ee5ce35a68761315dc14c27af6cb25128952bbde67a699b5c69cb21081a3bd75
• 9b914a04a6b4acb86915551f54a471fd3fc5edda4f8b948416db38808fa291bf
• 8be1d9004e4ffad4035fa973d6d6508835762adf097a7f4362039b11b5d41122
• 25e34355c90e9b96478a3a316c4b3280f3254e3677bc9c10e8146efbaaf29c39
• 449d46143fac008f3c90ea25156bf2e1f3492c7e55e11a45670b98c076924f34
• 48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65
• 973b44c741b1e12417e6a99a806b519b1fb2a1095d2931c154d10a92fabcb01b
• 65faccff1bd94971f57d4ab74662a11e0de5e9b84c64db56c2290b419c2ad59b
• 759e28b5e743ef6368816dafb62507ba7133cdbb38853e21ff98964aa3c0d454
• 1357aed783ad4b524540bcf99d980eaeac3aa21357b696b32c412ee44b925eab
• ebca811f9da30028f61da7eb4e4d842eec9558a0c0b9e6c172c70095cbc8f4b9
• 37f72d7cc30ac6952775a5972e510e0f2e0163b11ac7dea1e4dc0449dd8e633a
• 3476601196502ae5aacb48ab2a6b0b1089100c0761f563c2cdb86861bc18798d
• 6cccc777cf4eeebb2a17f4d13732f5dfeb0f6dbf50e6b96c743f101c481a44b6
• 8dabf008e15a4822e0a34b1a998ce3522194128dffbab0401320c6fd21fa97df
• c02e920086d41efee570ff2aa367640d63394f1ef86bffb1ced03aafa9bebf4b
• 8458c1237cd94a1446468c7d615df01af8ef3ffc14c1033efeb61118bf4bd3b4
• 3b5d15ed72a7aaf60ee447fade02e82e333e09c84ccd7ceca3b3594702da0c52
• 70b3d99e5a06e20095f2919783b8afd9077e5a9a6aed92236605d69bcf424316
• 2f255e9658e381d9c02499c30dcb07af2c7f5691fd6e5afd8ef35f3d284429f7
• cb346f5850a116273a9a6fc0430d99e2b2d3a1f92a1742242499d67728efba1d
• 779bc4fda3638f8adfba674f096475dc4e663fb45c962b5120b9c285dac87fe2
• 71f6c61bc2314ab899d3e79ffe0cf9434106ae29f760a5e076dbf826a7dfda7e
• 4847e2d370b72b717e85f289bf9daf22a39906fa99cedc8cda584a775ba571fb
• 0cebb8519e93f4177b4ab6d82f59643de9940ac6acdd284c3c1f23019f203120
• ae1b4b92fd179336c88340771c8c16492b6b3f80030735d770dafeef2558861a
• 43ec23f5477e218b33003603458503d469804ab5a05ee97541402a2b7255627a
• 23416440ae258c4a472c5c3c07bf7659190168277f8483dcd84d24fbcb83bbd4
• 78ab98c5b5ead97ff7d245b9603bb5edc4d59d379e492049a3a958a8e48cb945
• 1fa58cb939e9b5d0f7f0d5c78b437f62f182b5d3658e59729fda2f28eb8746da
• 29122127b97c0810a564fe16d87faaa9c931e0e48ecd63271af86385a652baca
• ae9aad29ad8bf58206a14b791b0ab0c842d745495762bf3fe092ce3be1f7fb0e
• dc0cb777651c14ef9e44cad759ce2a9688872e56d241352e23a3ab3443b03f07
• 15f4e20fb7971cbd61a7ba4f6ca0582286ff7ca332c17b7c5eef0c023f40bab0
• 1f8ceb6cd9e01bfe384378c5ea66de52674e188103f5e438a6029680c0b3180f
• 2e00197cd4b002cf65fc588be7c31b0b6c46f320885eddd6b7d71c8d2f98b36b
• 3f321b0d86d3af5f72c328b445c07c9c423b47ee3faa89bd413fdd5486019a0f
• 2d41e76e3200255d7a11e43c6b826bef6a91cabf451c66b3b36d6826cd56fb46
• eb5dfd6a133128a5d2c7183940639ead5e3aa33aa5ba581ce8d91ee113e4931f
• 8466c3b28b913e7e965b083b8a3174fbe12b76ed5e9f7d4d929a51cb660e326b
• b1ed4acd9128d49b5a619e8607cac13b33a8743e717a937c9ee9e6d963375867
• af766ba5f46115470242fa6033f4f4ba85c82b6d5a001ebfee8482e51d793e1d

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.