Proxy services let users rent IP addresses and provide online anonymity by disguising their traffic as regular IP addresses while hiding the true source or origin.
Bitsight researchers recently found a new malware sample distributed by the following two loaders:-
PrivateLoader
Amadey Loader
It installs a proxy bot called “Socks5Systemz,” on infected systems, turning them into proxies for others.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/* display: none; */
}
FREE Webinar
Webinar on Cyber Resilience for Financial Sector
Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.
Register Your Spot
Besides this, threat actors often use all these loaders to build botnets, and not only that, it’s been reported that the Socks5Systemz breach has led to a hack of over 10,000 systems globally.
Socks5Systemz Login page (Source – Bitsight)
10,000+ Systems Hacked
Samples from PrivateLoader and Amadey drop and run “previewer.exe” which handles persistence and injects the proxy bot into memory with three command line options, reads the report .
Here below, we have mentioned those three command line options:-
/chk: Creates an empty file named “test” in the current directory and exit
-i: Install loader
-s: Start loader
The “install” option sets up persistence by copying the loader to C:ProgramDataContentDWSvcContentDWSvc.exe and creating a Windows service named ContentDWSvc.
If this fails, it replaces GoogleUpdate.exe, and the loader then launches the proxy bot by loading and decrypting a DLL file in memory.
The proxy bot payload is a ‘300 KB’ 32-bit DLL, which starts by saving the filename, setting system architecture, and launching the main function in a new thread.
It generates a client ID from the Windows directory creation date and stores the infection time in C:ProgramData s.dat.
Besides this, from the following address, it downloads a PDF and saves it in the “C:ProgramData” folder:-
hxxp://datasheet[.]fun/manual/avon_4_2022.pdf?<client_id>
Downloading PDF (Source – Bitsight)
The downloaded PDF seems unremarkable, likely serving as a telemetry tool. The bot then attempts to locate an online C2 server by computing a domain with a generation algorithm and using DNS servers for resolution.
At the moment, the following commands are supported by the bot:-
idle: Do nothing
connect: Connect to a back-connect server
disconnect: Disconnect from the backconnect server
updips: Update IP addresses allowed to send traffic
upduris: This command seems not to be fully implemented
The crucial “connect” command instructs the bot to create a session with a backconnect server on port 1074/TCP. It registers the bot, making it available to forward traffic for clients.
Bot receiving a connect command (Source – Bitsight) The bot, on port 1074/TCP, gets a unique server port for receiving client traffic. Clients must know the backconnect server’s IP the bot’s assigned TCP port , and have whitelisted IPs or login credentials to use the proxy.
Overview of how the clients can use the proxies (Source – Bitsight) Infrastructure
Here below, we have mentioned all the servers that made up the infrastructure of this botnet network:-
Proxy bot C2 servers
Backconnect servers
Custom DNS servers (hardcoded in the proxy bot samples)
The server used by the bots to get the online C2 server address
A proxy checker application
Top Affected Countries
Here below, we have mentioned the top affected countries:-
India
Brazil
Colombia
South Africa
Bangladesh
Argentina
Angola
United States
Suriname
Nigeria
IOCs
Socks5Systemz proxy bot payload
fee88318e738b160cae22f6c0f16c634fd16dbf11b9fb93df5d380b6427ac18f
Proxy bot loader payload
dc262539467bf34e5059686955d6567efadd8e21c76be51eba94737d8c326720
Packed files distributed by Amadey and PrivateLoader
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
5b45926c91fe46b12dadd3dae6afa2cf76f91a8fed7c3aefdad7f8c1faa03919
189af501e84dddc5af3f7a66dcdc5095d22570abad100575ade261698d199bf3
2987dc6ea8908c9e80ee5cd15ae4b91d15c48d1d31f7dbc79e01864475f33247
3222778fd2f0717284dedbbda7298abf17105881147832e7a1cdbddc24747b0a
d99188eb6d65ecfeb7586bfb3566766fd1c68f659fbc57c7ce2bf1580452fd69
eaaf1823c34ea385dc3fa483a071b9a5f6122c8ab347b83da00a887ade466a0b
d2eafbfcd0dc07d49081b9b8324b549b08eb7aefd87ca6175046a9dd11b1d350
5b3b41fcfe12f7bf5f933d8dbd5d881a3c5391ffb0a71fc313ac456afe8d7510
2acfc97589dfb9f01a4ad9919b6bd73b38f391343b2e952e7dec8bfb8318bf51
09f3fa5267026b2a7a698517d21dec97594cf2623388b13f0091e09ecba85ee9
34a818f4223d32179c774e5cc707410d448d4e72fff148c293f453179642c8e6
5c52f631330f6099fdf038af2e7fc2bc7956e561fe9db5fbde0e8c1fb1951323
99c4c0abd02e05ce83b85184d4f49853674b63d1e402e5068992aabdd35109f8
116db67b886d33dc3ce3892471ea70b652539fe3436aefbc6d4771cd72748bf1
1ba2ae706f2e9b938f96b1d9baa63e302eb0b93c370d6a9b8c555065f90123dd
903ee5d2fb1341754c10acba60faf45fdde7dec94b5c82e3d990a9e7a5a7cd7f
8093be2f5aabcfdb73bf1e6a73161e37d2f702868f974387a032d4e0489516ee
75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483
ee5ce35a68761315dc14c27af6cb25128952bbde67a699b5c69cb21081a3bd75
9b914a04a6b4acb86915551f54a471fd3fc5edda4f8b948416db38808fa291bf
8be1d9004e4ffad4035fa973d6d6508835762adf097a7f4362039b11b5d41122
25e34355c90e9b96478a3a316c4b3280f3254e3677bc9c10e8146efbaaf29c39
449d46143fac008f3c90ea25156bf2e1f3492c7e55e11a45670b98c076924f34
48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65
973b44c741b1e12417e6a99a806b519b1fb2a1095d2931c154d10a92fabcb01b
65faccff1bd94971f57d4ab74662a11e0de5e9b84c64db56c2290b419c2ad59b
759e28b5e743ef6368816dafb62507ba7133cdbb38853e21ff98964aa3c0d454
1357aed783ad4b524540bcf99d980eaeac3aa21357b696b32c412ee44b925eab
ebca811f9da30028f61da7eb4e4d842eec9558a0c0b9e6c172c70095cbc8f4b9
37f72d7cc30ac6952775a5972e510e0f2e0163b11ac7dea1e4dc0449dd8e633a
3476601196502ae5aacb48ab2a6b0b1089100c0761f563c2cdb86861bc18798d
6cccc777cf4eeebb2a17f4d13732f5dfeb0f6dbf50e6b96c743f101c481a44b6
8dabf008e15a4822e0a34b1a998ce3522194128dffbab0401320c6fd21fa97df
c02e920086d41efee570ff2aa367640d63394f1ef86bffb1ced03aafa9bebf4b
8458c1237cd94a1446468c7d615df01af8ef3ffc14c1033efeb61118bf4bd3b4
3b5d15ed72a7aaf60ee447fade02e82e333e09c84ccd7ceca3b3594702da0c52
70b3d99e5a06e20095f2919783b8afd9077e5a9a6aed92236605d69bcf424316
2f255e9658e381d9c02499c30dcb07af2c7f5691fd6e5afd8ef35f3d284429f7
cb346f5850a116273a9a6fc0430d99e2b2d3a1f92a1742242499d67728efba1d
779bc4fda3638f8adfba674f096475dc4e663fb45c962b5120b9c285dac87fe2
71f6c61bc2314ab899d3e79ffe0cf9434106ae29f760a5e076dbf826a7dfda7e
4847e2d370b72b717e85f289bf9daf22a39906fa99cedc8cda584a775ba571fb
0cebb8519e93f4177b4ab6d82f59643de9940ac6acdd284c3c1f23019f203120
ae1b4b92fd179336c88340771c8c16492b6b3f80030735d770dafeef2558861a
43ec23f5477e218b33003603458503d469804ab5a05ee97541402a2b7255627a
23416440ae258c4a472c5c3c07bf7659190168277f8483dcd84d24fbcb83bbd4
78ab98c5b5ead97ff7d245b9603bb5edc4d59d379e492049a3a958a8e48cb945
1fa58cb939e9b5d0f7f0d5c78b437f62f182b5d3658e59729fda2f28eb8746da
29122127b97c0810a564fe16d87faaa9c931e0e48ecd63271af86385a652baca
ae9aad29ad8bf58206a14b791b0ab0c842d745495762bf3fe092ce3be1f7fb0e
dc0cb777651c14ef9e44cad759ce2a9688872e56d241352e23a3ab3443b03f07
15f4e20fb7971cbd61a7ba4f6ca0582286ff7ca332c17b7c5eef0c023f40bab0
1f8ceb6cd9e01bfe384378c5ea66de52674e188103f5e438a6029680c0b3180f
2e00197cd4b002cf65fc588be7c31b0b6c46f320885eddd6b7d71c8d2f98b36b
3f321b0d86d3af5f72c328b445c07c9c423b47ee3faa89bd413fdd5486019a0f
2d41e76e3200255d7a11e43c6b826bef6a91cabf451c66b3b36d6826cd56fb46
eb5dfd6a133128a5d2c7183940639ead5e3aa33aa5ba581ce8d91ee113e4931f
8466c3b28b913e7e965b083b8a3174fbe12b76ed5e9f7d4d929a51cb660e326b
b1ed4acd9128d49b5a619e8607cac13b33a8743e717a937c9ee9e6d963375867
af766ba5f46115470242fa6033f4f4ba85c82b6d5a001ebfee8482e51d793e1d
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
The post Socks5Systemz Proxy Hacked 10,000+ Systems World Wide appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
