Socks5Systemz Proxy Hacked 10,000+ Systems World Wide
Proxy services let users rent IP addresses and provide online anonymity by disguising their traffic as regular IP addresses while hiding the true source or origin.
Bitsight researchers recently found a new malware sample distributed by the following two loaders:-
PrivateLoader
Amadey Loader
It installs a proxy bot called “Socks5Systemz,” on infected systems, turning them into proxies for others.
Besides this, threat actors often use all these loaders to build botnets, and not only that, it’s been reported that the Socks5Systemz breach has led to a hack of over 10,000 systems globally.
Socks5Systemz Login page (Source – Bitsight)
10,000+ SystemsHacked
Samples from PrivateLoader and Amadey drop and run “previewer.exe” which handles persistence and injects the proxy bot into memory with three command line options, reads the report.
Here below, we have mentioned those three command line options:-
/chk: Creates an empty file named “test” in the current directory and exit
-i: Install loader
-s: Start loader
The “install” option sets up persistence by copying the loader to C:\ProgramData\ContentDWSvc\ContentDWSvc.exe and creating a Windows service named ContentDWSvc.
If this fails, it replaces GoogleUpdate.exe, and the loader then launches the proxy bot by loading and decrypting a DLL file in memory.
The proxy bot payload is a ‘300 KB’ 32-bit DLL, which starts by saving the filename, setting system architecture, and launching the main function in a new thread.
It generates a client ID from the Windows directory creation date and stores the infection time in C:\ProgramData\ts.dat.
Besides this, from the following address, it downloads a PDF and saves it in the “C:\ProgramData” folder:-
The downloaded PDF seems unremarkable, likely serving as a telemetry tool. The bot then attempts to locate an online C2 server by computing a domain with a generation algorithm and using DNS servers for resolution.
At the moment, the following commands are supported by the bot:-
idle: Do nothing
connect: Connect to a back-connect server
disconnect: Disconnect from the backconnect server
updips: Update IP addresses allowed to send traffic
upduris: This command seems not to be fully implemented
The crucial “connect” command instructs the bot to create a session with a backconnect server on port 1074/TCP. It registers the bot, making it available to forward traffic for clients.
Bot receiving a connect command (Source – Bitsight)
The bot, on port 1074/TCP, gets a unique server port for receiving client traffic. Clients must know the backconnect server’s IP the bot’s assigned TCP port, and have whitelisted IPs or login credentials to use the proxy.
Overview of how the clients can use the proxies (Source – Bitsight)
Infrastructure
Here below, we have mentioned all the servers that made up the infrastructure of this botnet network:-
Proxy bot C2 servers
Backconnect servers
Custom DNS servers (hardcoded in the proxy bot samples)
The server used by the bots to get the online C2 server address
A proxy checker application
Top Affected Countries
Here below, we have mentioned the top affected countries:-
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.