The Socks5Systemz botnet has been implicated in fueling the operations of an illegal proxy service known as PROXY.AM, according to new insights shared by Bitsight.
“Proxy malware and associated services amplify cybercriminal activity by providing anonymous layers of connectivity, enabling malicious actors to leverage chains of victim systems for their nefarious purposes,” Bitsight’s security researchers explained in a comprehensive analysis published recently.
This revelation comes on the heels of findings from Black Lotus Labs at Lumen Technologies, which disclosed that another malware variant, Ngioweb, has been commandeering compromised systems to function as residential proxies for NSOCKS.
A Decade-Long Threat
Initially emerging in underground cybercrime circles as early as March 2013, Socks5Systemz was first documented by Bitsight as a tool used in distributing malicious payloads such as PrivateLoader, SmokeLoader, and Amadey. Its primary function involves converting infected systems into proxy exit nodes, marketed to cybercriminals seeking to obfuscate the origins of their attacks.
The illegal proxy network has operated since 2016, with its highest infection rates observed in countries such as India, Indonesia, Ukraine, Algeria, Vietnam, Russia, and several others, including the United States.
Botnet Scale and Evolution
By early 2024, the botnet reportedly averaged 250,000 daily infections at its peak, though recent figures suggest the number has dwindled to between 85,000 and 100,000 compromised devices. As of now, PROXY.AM advertises access to 80,888 proxy nodes spanning 31 nations.
Bitsight attributed this reduction to a significant operational setback. “In December 2023, the operators of Socks5Systemz V1 lost control of the infrastructure, forcing them to rebuild the botnet entirely using a new command-and-control system, now referred to as Socks5Systemz V2,” the research team noted.
To address this disruption, the botnet’s operators deployed fresh malware campaigns using loaders like PrivateLoader, SmokeLoader, and Amadey to replace outdated infections with updated payloads.
Monetizing Cybercrime
PROXY.AM, accessible via domains such as proxy[.]am and proxyam[.]one, markets its services as “elite, private, and anonymous proxy servers.” Subscription prices range from $126/month for an “Unlimited Pack” to $700/month for the premium “VIP Pack.”
Broader Context of Cybercriminal Activity
These findings align with a broader trend of threat actors exploiting system vulnerabilities. For instance, a recent Trend Micro report highlighted how the Gafgyt botnet malware has targeted misconfigured Docker Remote API servers to launch distributed denial-of-service (DDoS) attacks. While traditionally focused on exploiting IoT devices, Gafgyt has expanded its scope to compromise weak SSH passwords and vulnerable Docker environments.
“Attackers have been observed leveraging exposed Docker Remote APIs to deploy Gafgyt malware through Docker containers created using legitimate ‘alpine’ images,” said Sunil Bharti, a Trend Micro security researcher.
Misconfigurations as an Attack Vector
Cloud misconfigurations continue to provide fertile ground for cybercriminals. In many cases, these vulnerabilities facilitate activities like cryptocurrency mining, data theft, and the conscription of cloud systems into botnets for DDoS attacks.
An empirical study conducted by researchers from Leiden University and TU Delft identified 215 exposed instances containing sensitive credentials. These vulnerabilities could enable unauthorized access to databases, cloud infrastructures, and third-party APIs. The majority of the exposed systems were concentrated in countries like the United States, India, Australia, Great Britain, and Brazil, affecting industries ranging from IT and finance to healthcare and education.
A Call for Vigilance
“The findings underscore the urgent need for improved system management and proactive oversight to curb data breaches,” stated the Modat Team. “Leaking sensitive credentials could lead to catastrophic outcomes, including total compromise of organizational security frameworks and unauthorized infiltration of protected cloud environments.”
As botnets like Socks5Systemz evolve and expand their reach, the spotlight falls on the necessity for robust defenses and vigilant cybersecurity practices to mitigate their impact on global digital ecosystems.