Full Report
A malicious botnet called Socks5Systemz is powering a proxy service called PROXY.AM, according to new findings from Bitsight. "Proxy malware and services enable other types of criminal activity adding uncontrolled layers of anonymity to the threat actors, so they can perform all kinds of malicious activity using chains of victim systems," the company's security research team said in an analysis
Analysis Summary
This summary focuses on the malware and techniques described explicitly concerning **Socks5Systemz**, as the provided text also discusses Ngioweb, Gafgyt, and general cloud misconfigurations, which are separate subjects.
# Tool/Technique: Socks5Systemz Botnet
## Overview
Socks5Systemz is a malicious botnet that maintains a proxy service known as PROXY.AM. Its primary function is to compromise systems and turn them into anonymizing proxy exit nodes for use by other cybercriminals seeking to obscure the origin of their attacks. It has been in operation since at least 2016 and was recently rebuilt (V2) after the threat actor lost control of V1.
## Technical Details
- Type: Malware (Botnet)
- Platform: Not explicitly stated, but botnet operations imply Windows, Linux, or IoT devices commonly used as proxy nodes.
- Capabilities: Turning compromised hosts into anonymous SOCKS proxy exit nodes for sale/lease.
- First Seen: Advertised in cybercrime underground since March 2013; documented proxy service operating since 2016.
## MITRE ATT&CK Mapping
Since the description focuses on the *result* (proxy service) rather than specific attack execution steps, the most relevant high-level mapping relates to C2 and interaction:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.004 - Application Layer Protocol: Custom Protocol (Implied for botnet communication)
- **TA0008 - Lateral Movement** (If the proxy is used for internal network pivoting)
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy
## Functionality
### Core Capabilities
- Establishing compromised machines as proxy exit nodes for layering anonymity over criminal activities.
- Selling access to these proxies via services like PROXY.AM, offering "elite, private, and anonymous proxy servers."
### Advanced Features
- **Botnet persistence:** Socks5Systemz is often dropped by loaders (PrivateLoader, SmokeLoader, Amadey), ensuring continued infection even if initial delivery vectors change.
- **Infrastructure Rebuilding:** The operators successfully rebuilt and redeployed the botnet (V2) after losing control of V1 infrastructure in December 2023.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the text)
- File Names: N/A (Not provided in the text)
- Registry Keys: N/A (Not provided in the text)
- Network Indicators: PROXY.AM domains/servers used for advertising: `proxy[.]am`, `proxyam[.]one` (Defanged)
- Behavioral Indicators: Hosting an active SOCKS proxy service on non-standard ports, high volume of outbound traffic originating from misbehaving residential IPs.
## Associated Threat Actors
- Unspecified threat actors utilizing the PROXY.AM service to hide their activities.
- Previously associated with malware distribution chains involving **PrivateLoader**, **SmokeLoader**, and **Amadey**.
## Detection Methods
- Signature-based detection: N/A (Specific signatures not provided)
- Behavioral detection: Monitoring for unexplained SOCKS proxy activity on endpoints, especially those that serve as residential IPs.
- YARA rules: N/A (Not provided in the text)
## Mitigation Strategies
- **Loader Mitigation:** Deploying robust endpoint protection capable of detecting and blocking PrivateLoader, SmokeLoader, and Amadey activity.
- **Network Monitoring:** Identifying unusual outbound connections initiated by endpoints that are functioning as proxy servers.
- **Vigilant System Administration:** Regularly auditing systems to ensure they are not co-opted into third-party botnets or proxy services.
## Related Tools/Techniques
- **Ngioweb:** Another residential proxy botnet mentioned in the context.
- **PrivateLoader, SmokeLoader, Amadey:** Malware known to deploy Socks5Systemz.
- **Gafgyt:** Mentioned in the text as a separate botnet targeting Docker misconfigurations, illustrating the general trend of abusing compromised systems for criminal infrastructure.