Summary:
Researchers at Bitsight has identified a malicious botnet called Socks5Systemz, which powers the proxy service PROXY.AM. This malware enables other criminal activities by providing threat actors with anonymous proxy services, leveraging compromised systems as proxy exit nodes. Active since 2016 and advertised on cybercrime forums as early as 2013, Socks5Systemz has been linked to distributing malware loaders like PrivateLoader, SmokeLoader, and Amadey. These loaders help establish persistence on infected systems and facilitate the botnet's growth by turning those systems into proxy nodes. The proxy service markets itself as offering "elite, private, and anonymous" servers, with subscription costs ranging from $126 to $700 per month.

As of January 2024, Socks5Systemz infected an average of 250,000 machines daily, primarily in countries like India, Indonesia, Ukraine, Vietnam, and the United States. However, a disruption in December 2023 caused the operators to lose control of their original botnet infrastructure, leading to the creation of a new version, Socks5Systemz V2, with a smaller footprint of 85,000 to 100,000 active nodes. The operators replaced older infections with new payloads through updated distribution campaigns, rebuilding their botnet from scratch.

Analyst Comments:
PROXY.AM continues to advertise itself as a robust and anonymous proxy service, currently claiming to have 80,888 proxy nodes available across 31 countries. Its infrastructure is marketed to cybercriminals who seek to obscure the origins of their activities, which include phishing, ransomware deployment, and other forms of cybercrime. This development follows a related discovery by Trend Micro, which reported the Gafgyt botnet targeting misconfigured Docker Remote API servers to conduct distributed denial-of-service attacks. Gafgyt, traditionally known for exploiting IoT devices, has expanded its focus to Docker instances by exploiting weak SSH credentials and publicly exposed configurations. Attackers have been observed creating malicious Docker containers using legitimate images, such as the "alpine" image, to deploy malware. Once infected, these systems become part of the Gafgyt botnet, amplifying its DDoS capabilities.

Additionally, misconfigured cloud environments have become a growing attack surface. Research from Leiden University and TU Delft identified 215 cloud instances exposing sensitive credentials that could grant attackers unauthorized access to databases, cloud infrastructure, and third-party APIs. These misconfigurations affect sectors such as IT, retail, healthcare, and education, with a high concentration in the United States, India, Australia, and Brazil. The leaked credentials present severe risks, including full organizational compromise, data theft, and cloud infrastructure infiltration.

Suggested Corrections:

IOCs:
https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet

Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.

Link(s):
https://thehackernews.com/2024/12/socks5systemz-botnet-powers-illegal.html