A malicious botnet known as Socks5Systemz has been exposed as the driving force behind an illegal proxy service called PROXY.AM, according to a new report from cybersecurity firm Bitsight.
Socks5Systemz: Anonymity Through Victim Systems
Proxy malware like Socks5Systemz enables cybercriminals to hide their activities by creating layers of anonymity using compromised systems. Bitsight's security team explained that such services empower threat actors to conduct various malicious actions with minimal risk of detection.
The revelation follows recent findings from Lumen Technologies' Black Lotus Labs, which disclosed that another malware, Ngioweb, has been abusing compromised systems as residential proxies for the NSOCKS platform.
A Longstanding Threat in Cybercrime
Socks5Systemz has been active in the cybercrime underground since March 2013. It has been linked to malicious activities involving PrivateLoader, SmokeLoader, and Amadey malware, primarily targeting systems to transform them into proxy exit nodes. These nodes are then marketed to cybercriminals seeking anonymity for their attacks.
Operating since 2016, PROXY.AM advertises itself as offering "elite, private, and anonymous proxy servers" at prices ranging from $126/month (Unlimited Pack) to $700/month (VIP Pack).
Global Impact of Socks5Systemz
The botnet has primarily infected systems in countries like:
- India, Indonesia, Ukraine, Algeria, Vietnam, Russia, Turkey
- Brazil, Mexico, Pakistan, Thailand, the Philippines, Colombia
- Egypt, the United States, Argentina, Bangladesh, Morocco, and Nigeria
By January 2024, the botnet had grown to an estimated 250,000 compromised machines daily. However, due to a disruption in December 2023, the botnet's size dropped to approximately 85,000–100,000 nodes. Bitsight attributed this decline to the loss of the original Socks5Systemz V1 infrastructure and the subsequent rebuilding of a new network, dubbed Socks5Systemz V2.
The malware's distributors, including PrivateLoader, SmokeLoader, and Amadey, launched new campaigns to replace outdated infections with updated payloads.
Emerging Threats in Cloud Security
The Socks5Systemz discovery coincides with a report from Trend Micro highlighting a surge in Docker Remote API server attacks using the Gafgyt botnet malware. Threat actors exploit misconfigured Docker servers to deploy malware, conduct distributed denial-of-service (DDoS) attacks, and compromise IoT devices.
Security researcher Sunil Bharti noted that attackers are leveraging exposed Docker servers to create containers based on legitimate images like "alpine," deploying malware to expand their botnet.
Cloud Misconfigurations: A Persistent Risk
A separate study by researchers from Leiden University and TU Delft revealed over 215 instances of sensitive credentials exposed through misconfigured cloud systems. These vulnerabilities provide unauthorized access to:
- Databases
- Cloud infrastructures
- Third-party APIs
The affected instances span industries such as IT, finance, education, and healthcare, with the highest concentrations in countries like the U.S., India, Australia, and Brazil.
Call for Action
These findings underscore the critical need for stronger security measures, including:
- Improved system administration practices
- Rigorous oversight to mitigate data leaks
- Regular updates to prevent vulnerabilities
The consequences of such lapses can be severe, ranging from complete compromise of an organization's security infrastructure to infiltration of cloud systems.
Conclusion
The Socks5Systemz botnet and other malware campaigns highlight the evolving tactics of cybercriminals targeting vulnerable systems. Businesses and individuals must remain vigilant, ensure proper security configurations, and implement robust defenses to mitigate these threats.
As cybersecurity threats grow increasingly sophisticated, the need for proactive measures cannot be overstated. Stay informed, stay secure.