Researchers at Bitsight have uncovered a botnet dubbed ‘Socks5Systemz’ that supports the operations of the illegal proxy service known as ‘PROXY.AM’.
The findings follow a recent report from Lumen’s Black Lotus Labs, detailing the exploitation of systems compromised by the Ngioweb malware as residential proxy servers for another service, NSOCKS.
Socks5Systemz hashas been around since 2013, with its deployment linked to malware like PrivateLoader, SmokeLoader, and Amadey. The botnet’s primary role is to transform infected devices into proxy exit nodes, enabling threat actors to conceal their attack origins. These nodes are then marketed on PROXY.AM, a service operational since 2016 that offers anonymous proxy servers for rent.
The highest infection rates were observed in countries such as India, Indonesia, Ukraine, Algeria, Vietnam, Russia, Turkey, and the United States.
While previously Socks5Systemz's botnet comprised around 250,000 infected devices on average, current estimates show a drop to approximately 85,000-100,000 nodes. As of now, PROXY.AM advertises 80,888 proxy nodes across 31 countries.
In December 2023, the original iteration of the botnet, dubbed Socks5Systemz V1, took the blow when the threat actor behind it lost control of its command-and-control (C2) infrastructure. This led to the creation of Socks5Systemz V2, rebuilt with a new C2 system and supported by fresh malware distribution campaigns.
The updated botnet relies on loaders like PrivateLoader, SmokeLoader, and Amadey to persist on compromised systems, with new infections replacing older ones to maintain operations.
PROXY.AM markets its services as “elite, private, and anonymous,” with subscription plans ranging from $126 per month for an Unlimited Pack to $700 per month for a VIP Pack.