Cybersecurity researchers from BitSight have uncovered a proxy botnet called Socks5Systemz, which has been operating since at least 2016 and has remained relatively under the radar. This proxy botnet is delivered through the PrivateLoader and Amadey loaders. It is named after the consistent login panel found on all the Command and Control (C2) servers.
What is Socks5Systemz?
The Socks5Systemz botnet offers traffic-forwarding proxies for illicit purposes, charging prices ranging from $1 to $140 per day in cryptocurrency. It has infected approximately 10,000 systems, with a notable absence of infected systems in Russia.
Infection and Persistence
The botnet’s samples are distributed via PrivateLoader and Amadey and execute a file named “previewer.exe.” This file establishes persistence and injects the proxy bot into memory. The loader ensures persistence by creating a Windows service with the name and display name set to “ContentDWSvc.” To avoid detection and enhance resistance to takedown, the proxy bot employs a domain generation algorithm (DGA).
A crucial command used by Socks5Systemz is the “connect” command. This command instructs the bot to establish a session with a backconnect server on port 1074/TCP. Once the session is established, the bot functions as a proxy. Clients need to know the backconnect server’s IP address, the TCP port assigned to the infected system, and have the correct login credentials to use the proxy.
Researchers have identified at least 53 servers used by the botnet, all located in Europe, spanning countries like France, Bulgaria, Netherlands, and Sweden. The top 10 most affected countries by Socks5Systemz include India, Brazil, Colombia, South Africa, Bangladesh, Argentina, Angola, the United States, Suriname, and Nigeria.
The threat actors behind the Socks5Systemz botnet offer two subscription plans: ‘Standard’ and ‘VIP.’ Customers can make payments using the Cryptomus Crypto Payment Gateway at cryptomus.com.
Socks5Systemz represents an ongoing challenge for cybersecurity experts, and its use of proxies for illicit purposes highlights the need for constant vigilance in the battle against evolving cyber threats.
By uncovering and analyzing the tactics and techniques employed by botnets like Socks5Systemz, researchers can develop countermeasures to protect users and organizations from these malicious activities.
Removal Guide for Socks5Systemz Botnet
If you suspect that your device has been infected by the Socks5Systemz botnet, it’s crucial to take immediate action to remove the threat and secure your system. Follow these steps to remove Socks5Systemz from your computer:
Step 1: Isolate Infected Devices
- If you have identified an infected device in your network, isolate it from the rest of your devices to prevent further spread of the infection.
Step 2: Disconnect from the Internet
- Temporarily disconnect the infected device from the internet to prevent any further communication with the botnet’s Command and Control servers.
Step 3: Run a Full System Scan
- Use a reputable and up-to-date antivirus or anti-malware software to perform a full system scan on the infected device. Ensure that the security software is capable of detecting and removing botnet-related malware.
Step 4: Follow Software Recommendations
- Follow the recommendations provided by your security software to quarantine or remove any identified threats related to the Socks5Systemz botnet. This may involve deleting or isolating malicious files and processes.
Step 5: Update Operating System and Software
- Make sure your operating system and all installed software are up to date with the latest security patches and updates. Botnets often exploit vulnerabilities in outdated software.
Step 6: Change Passwords
- After removing the botnet, change passwords for all your online accounts, including email, social media, and banking, to prevent unauthorized access to your accounts.
Step 7: Secure Your Network
- Review your network security settings and consider enhancing your network’s security measures. Ensure your firewall is active, and update router firmware if needed.
Step 8: Educate Users
- If the infected device is part of a larger network, educate users on the importance of cybersecurity best practices to prevent future infections.
Step 9: Monitor for Unusual Activity
- Continuously monitor your network for any unusual or suspicious activity that may indicate a re-infection by the botnet.
Step 10: Consult a Professional
- If you are unsure about the removal process or suspect that your device’s security may have been compromised, consider consulting a cybersecurity professional or your organization’s IT department for assistance.
Remember that botnet infections can be complex, and removing them may require expertise. Prevention through regular software updates, strong passwords, and safe online practices is key to avoiding future infections.
By following these steps and staying vigilant, you can effectively remove the Socks5Systemz botnet from your device and take measures to prevent future infections.
The emergence of the Socks5Systemz proxy botnet highlights the ever-evolving landscape of cyber threats and the adaptability of malicious actors. Operating under the radar for years, this botnet has infected thousands of devices and is actively providing traffic-forwarding proxies for illicit purposes, generating significant profits for its operators.
As cybersecurity experts and organizations work to identify and counter such threats, it’s clear that the battle against cybercriminals is ongoing and requires constant vigilance. The Socks5Systemz botnet serves as a reminder of the need for robust security measures, regular updates, and user education to protect against evolving cyber threats.
Removing the Socks5Systemz botnet from infected devices is essential, and a comprehensive removal guide has been provided to assist users in this process. However, prevention remains the most effective strategy against botnet infections, and users should prioritize cybersecurity best practices to safeguard their systems and data.
By staying informed, implementing security measures, and collaborating in the fight against botnets and other cyber threats, individuals and organizations can enhance their digital defenses and contribute to a safer online environment for all.