| Category | Details |
|---|---|
| Threat Actors | - BaTHNK: Original creator of Socks5Systemz. - Boost: Reseller of BoostyProxy linked to Socks5Systemz. - Alexey Pavlov: Registered domains linked to the botnet’s operations. |
| Campaign Overview | - Large-scale proxy botnet operations using compromised systems as proxy exit nodes. - Initially integrated with malware like Andromeda, Trickbot, and Smokeloader, now distributed as standalone malware. |
| Target Regions (Victims) | - Global impact: Over 250,000 daily infections at peak. - Top affected countries include India, Indonesia, Ukraine, Algeria, and Vietnam. |
| Methodology | - Malware distributed via loaders like Privateloader, Amadey, and Smokeloader. - Bots used for proxy services sold on Telegram and forums. - Regular rebuilds and updates to botnet infrastructure. |
| Product Targeted | - Compromised systems repurposed as proxy nodes. - Proxy services linked to domains like proxy[.]am and bddns[.]cc. |
| Malware Reference | - Socks5Systemz: Proxy malware used for SOCKS5 proxy operations. - Integrated in Andromeda, Trickbot, Smokeloader, and others. |
| Tools Used | - Proxy modules integrated with botnet C2 infrastructure. - Loaders like Privateloader and Smokeloader for malware delivery. - WHOIS details linked to domain registration for operations. |
| Vulnerabilities Exploited | - Reliance on outdated or weak system defenses for infection. - Use of loaders that persist on compromised systems. |
| TTPs | - Botnet-based proxy services. - Exploitation of compromised systems globally. - Malware customization for integration with loaders and broader malware ecosystems. |
| Attribution | - Origins traced to BaTHNK and Russian forums (since 2013). - Proxy services like PROXY.AM linked to Alexey Pavlov. |
| Recommendations | - Regularly patch and update systems to prevent loader-based infections. - Deploy advanced malware detection tools to identify and disrupt botnet activities. - Monitor domains and forums for malicious activity. |
| Source | Bitsight |
Read full article:https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply