9 December 2024

New malware botnet Socks5Systemz powers illegal proxy service


New malware botnet Socks5Systemz powers illegal proxy service

Researchers at Bitsight have uncovered a botnet dubbed ‘Socks5Systemz’ that supports the operations of the illegal proxy service known as ‘PROXY.AM’.

The findings follow a recent report from Lumen’s Black Lotus Labs, detailing the exploitation of systems compromised by the Ngioweb malware as residential proxy servers for another service, NSOCKS.

Socks5Systemz hashas been around since 2013, with its deployment linked to malware like PrivateLoader, SmokeLoader, and Amadey. The botnet’s primary role is to transform infected devices into proxy exit nodes, enabling threat actors to conceal their attack origins. These nodes are then marketed on PROXY.AM, a service operational since 2016 that offers anonymous proxy servers for rent.

The highest infection rates were observed in countries such as India, Indonesia, Ukraine, Algeria, Vietnam, Russia, Turkey, and the United States.

While previously Socks5Systemz's botnet comprised around 250,000 infected devices on average, current estimates show a drop to approximately 85,000-100,000 nodes. As of now, PROXY.AM advertises 80,888 proxy nodes across 31 countries.

In December 2023, the original iteration of the botnet, dubbed Socks5Systemz V1, took the blow when the threat actor behind it lost control of its command-and-control (C2) infrastructure. This led to the creation of Socks5Systemz V2, rebuilt with a new C2 system and supported by fresh malware distribution campaigns.

The updated botnet relies on loaders like PrivateLoader, SmokeLoader, and Amadey to persist on compromised systems, with new infections replacing older ones to maintain operations.

PROXY.AM markets its services as “elite, private, and anonymous,” with subscription plans ranging from $126 per month for an Unlimited Pack to $700 per month for a VIP Pack.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025