Summary:
The Socks5Systemz malware, active since 2013, has recently gained attention due to its extensive botnet, reaching up to 250,000 compromised systems globally. Initially sold as a standalone product or integrated into other malware, it has been linked to various distribution campaigns. The malware operates as a SOCKS5 proxy, enabling criminal activities through a proxy service called PROXY.AM. This report highlights its evolution, distribution, and the implications for cybersecurity.
#Socks5Systemz #ProxyMalware #BotnetActivity
The Socks5Systemz malware, active since 2013, has recently gained attention due to its extensive botnet, reaching up to 250,000 compromised systems globally. Initially sold as a standalone product or integrated into other malware, it has been linked to various distribution campaigns. The malware operates as a SOCKS5 proxy, enabling criminal activities through a proxy service called PROXY.AM. This report highlights its evolution, distribution, and the implications for cybersecurity.
#Socks5Systemz #ProxyMalware #BotnetActivity
Keypoints:
Socks5Systemz has been active since 2013 and was previously underreported in the threat intelligence community.
The malware has been involved in large-scale distribution campaigns alongside Privateloader, Smokeloader, and Amadey.
At its peak, the Socks5Systemz botnet comprised approximately 250,000 compromised systems worldwide.
PROXY.AM, operational since 2016, utilizes the Socks5Systemz botnet to provide proxy services for criminal activities.
The malware has evolved over the past year, with changes in distribution methods and command and control infrastructure.
Recent telemetry indicates a decline in botnet size, attributed to loss of control and new distribution campaigns.
MITRE Techniques
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Exploitation of Remote Services (T1210): Leverages vulnerabilities in remote services to gain access to systems.
Credential Dumping (T1003): Extracts credentials from compromised systems to facilitate further attacks.
Data Encrypted for Impact (T1486): Encrypts data on compromised systems to extort victims.
Malware (T1203): Deploys malicious software to achieve various objectives, including data theft and system control.
IoC:
[IP Address] 141.98.234.31
[IP Address] 81.31.197.38
[IP Address] 45.155.250.90
[IP Address] 152.89.198.214
[IP Address] 91.211.247.248
[IP Address] 185.208.158.248
[IP Address] 185.237.207.107
[IP Address] 185.208.158.202
[IP Address] 79.132.128.13
[IP Address] 176.10.111.126
[IP Address] 194.62.105.143
[IP Address] 195.154.176.209
[IP Address] 89.105.201.183
[IP Address] 46.8.225.74
[IP Address] 88.80.150.13
[IP Address] 195.154.174.225
[IP Address] 62.210.201.223
[IP Address] 185.141.63.209
[IP Address] 195.154.173.35
[IP Address] 195.154.174.12
[IP Address] 62.210.204.81
[IP Address] 62.210.204.131
[IP Address] 185.141.63.216
[IP Address] 195.154.185.134
[File Hash] 5260154782dd66c6a7b0e14c077c4b44ed1f483c6708495d0344edf8a14e2b27
[File Hash] 36cffd7d54385e0473cb7f7bf2d33910027428837725c4d3649ff1af2d88cb2b
[File Hash] aa93289a23603efc27f70a7eb38f8e81fa7c30f4a5dff71f70c6f2ee583df619
[File Hash] e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00
[File Hash] f6bbff3463d01da463091dc3347f5f42b32378353d2f7ddfab6285ecf0450c14
[File Hash] a2a41ff58541f577ea1580932cc89642e987239a2fa1ccdb33a3029a520ecd0b
[File Hash] fa3fe68c4a784c01e170098296b3212696b611e0239b69a40f4438532ca33e88
[File Hash] 54feb0e02729304c1c054e34c3bcb4e76be31b31ec2276187ccc4479378ce130
[File Hash] 0fc2f189aa3ebc1ff836079e49dac9758ab5e807d7ab4b42ff37c2376bcc2705
[File Hash] bf34984756336bc78428f3f856be287ef364afa3330cac5facf019c39be73657
[File Hash] b1e5b0e42e039b9711c435d691f1372ec663b2cb5a5d6a733d859d75a9f2d662
[File Hash] f4456c54b840b5650d131ee27ffc9f23b7b3d8344cd88bd2dd2dbad05741e401
[File Hash] c742642edeae783ffdc9efd52f514a5eef830ec115f8e723ee7cfd82ca7c0ba6
[File Hash] dd075ec25d314f2d97d89065239ccb1d6c680d3f08ea94bf59f522545a1546c9
[File Hash] 75e722495c157a05b557580863f90b856d6ec229c7cb4974a008c823377369f5
Mitigation:
Implement network segmentation to limit the spread of malware within the organization.
Regularly update and patch systems to close vulnerabilities that malware may exploit.
Monitor network traffic for unusual patterns indicative of proxy or botnet activity.
Employ endpoint detection and response (EDR) solutions to identify and remediate malware infections.
Educate employees about phishing and social engineering tactics to reduce the risk of initial compromise.
Full Research: https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet