| Category | Details |
|---|---|
| Threat Actors | – BaTHNK: Original creator of Socks5Systemz. – Boost: Reseller of BoostyProxy linked to Socks5Systemz. – Alexey Pavlov: Registered domains linked to the botnet’s operations. |
| Campaign Overview | – Large-scale proxy botnet operations using compromised systems as proxy exit nodes. – Initially integrated with malware like Andromeda, Trickbot, and Smokeloader, now distributed as standalone malware. |
| Target Regions (Victims) | – Global impact: Over 250,000 daily infections at peak. – Top affected countries include India, Indonesia, Ukraine, Algeria, and Vietnam. |
| Methodology | – Malware distributed via loaders like Privateloader, Amadey, and Smokeloader. – Bots used for proxy services sold on Telegram and forums. – Regular rebuilds and updates to botnet infrastructure. |
| Product Targeted | – Compromised systems repurposed as proxy nodes. – Proxy services linked to domains like proxy[.]am and bddns[.]cc. |
| Malware Reference | – Socks5Systemz: Proxy malware used for SOCKS5 proxy operations. – Integrated in Andromeda, Trickbot, Smokeloader, and others. |
| Tools Used | – Proxy modules integrated with botnet C2 infrastructure. – Loaders like Privateloader and Smokeloader for malware delivery. – WHOIS details linked to domain registration for operations. |
| Vulnerabilities Exploited | – Reliance on outdated or weak system defenses for infection. – Use of loaders that persist on compromised systems. |
| TTPs | – Botnet-based proxy services. – Exploitation of compromised systems globally. – Malware customization for integration with loaders and broader malware ecosystems. |
| Attribution | – Origins traced to BaTHNK and Russian forums (since 2013). – Proxy services like PROXY.AM linked to Alexey Pavlov. |
| Recommendations | – Regularly patch and update systems to prevent loader-based infections. – Deploy advanced malware detection tools to identify and disrupt botnet activities. – Monitor domains and forums for malicious activity. |
| Source | Bitsight |
Read full article:https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply