www.bitsight.com Open in urlscan Pro
2606:4700:10::6816:4bf2  Public Scan

Form analysis
0 forms found in the DOM

Text Content

This website is AudioEye enabled and is being optimized for accessibility. To
open the AudioEye Toolbar, press "shift + =". Some assistive technologies may
require the use of a passthrough function before this keystroke. For more
information, activate the button labeled “Explore your accessibility options”.

Skip to main content


UTILITY

 * Blog
 * Partners
 * Request Demo
 * Chat With Us
 * Login

See Your Rating
Show/Hide Main Menu
 * Products
   
    * Enterprise Security
       * Security Performance Management
       * External Attack Surface Management
       * Cybersecurity Analytics
       * Security Ratings
       * Trust Management Hub NEW
       * SPM Integrations
   
    * Digital Supply Chain
       * Third-Party Risk Management
       * Vendor Risk Management
       * Continuous Monitoring
       * Vulnerability Detection & Response
       * TPRM Integrations
   
    * Cyber Governance & Reporting
       * Cybersecurity Ratings
       * Cybersecurity Regulations
       * Cyber Risk Quantification
   
    * Cybersecurity Data Feed
       * Cyber Data Solutions
   
    * Cyber Underwriting & Risk Control
       * Cyber Insurance
   
    * Professional Services
       * Service Offerings
   
   Free Attack Surface Report
   
   Your attack surface is expanding—know exactly how it looks. Our report gives
   you the insights you need to see your external attack surface.
   
   Receive custom report
 * Solutions
   
   See beyond borders
   
   Bitsight enables risk and security leaders to see beyond the firewall — to
   the vendors and partners, clouds and applications, patches and programs —
   that introduce risk in your digital ecosystem.
   
    * By Use Cases
       * Exposure Management
       * Third-Party Risk Management
       * Reporting and Compliance
       * Cybersecurity Regulations NEW
       * Continuous Monitoring
       * Executive Reporting
       * Supply Chain Visibility
       * Investment Management
       * National Cybersecurity
   
    * By Industry
       * Financial Services
       * Insurance Services
       * Healthcare
       * Government
       * Technology
       * Energy/Utilities
       * Retail
       * Manufacturing
       * Education
   
   Bitsight to Acquire Cyber Threat Intelligence Leader Cybersixgill to Help
   Enterprises to Preempt Cyber Attacks
   
   Read release
 * Why Bitsight
   
   Trust in our data
   
   We combine real-time discovery of networks, assets, and vulnerabilities with
   our AI attribution engine and over 100 security researchers to amass one of
   the largest and mapped risk datasets in the world.
   
    * Why Bitsight
       * Why Bitsight
       * Security Ratings Leader
       * * Trusted Ratings
       * Data & Insights
       * Data Correlation & Studies
       * Data Discovery
       * Data Mapping & Attribution NEW
       * Cyber Data for Capital Markets NEW
   
    * Bitsight TRACE
       * Latest Security Research
       * Meet the Team
   
   Bitsight delivered 297% ROI for security leaders
   
   Forrester Consulting's Total Economic Impact™ Of Bitsight study shows a near
   3x return on investment and material business outcomes for customers.
   
   Download Study
 * Company
   
   Building trust in the digital economy
   
   Bitsight is a cyber risk management leader transforming how companies manage
   exposure, performance, and risk for themselves and their third parties.
   
    * About Us
       * Our Story
       * Our Team
       * Trust Center
       * Diversity & Inclusion
       * Press Releases
       * In the News
   
    * Connect with Us
       * Careers
       * * Open Positions
       * Events
       * Locations
       * Contact Us
   
   Bitsight to Acquire Cyber Threat Intelligence Leader Cybersixgill to Help
   Enterprises to Preempt Cyber Attacks
   
   Read release
 * Resources
   
   Did you know?
   
   More than 60% of Known Exploited Vulnerabilities remain unmitigated past
   deadlines and take, on average, 4.5 months to remediate.
   
   Source: Bitsight TRACE
   
    * Resources
       * Customer Stories
       * Reports & eBooks
       * Datasheets
       * Webinars
       * Videos
       * Cybersecurity Glossary
       * All Resources
   
    * Blog
       * Vulnerabilities & Incidents
       * Policy & Regulations
       * Exposure Management
       * Third-Party Risk Management
       * All Blog Posts
   
   Bitsight delivered 297% ROI for security leaders
   
   Read the study to see how bolstering your cyber security program with
   Bitsight can protect your business while improving your bottom line.
   
   Download Forrester Study

See Your Rating
 * Blog
 * Partners
 * Login
 * Chat With Us
 * Request Demo


PROXY.AM POWERED BY SOCKS5SYSTEMZ BOTNET

December 03, 2024


TAGS:

Bitsight Security Research

Share:
 * Facebook
   
 * Twitter
   
 * LinkedIn
   

Written by Bitsight TRACE
Bitsight's security research team

A year ago, Bitsight TRACE published a blog post on Socks55Systemz,a proxy
malware with minimal mentions in the threat intelligence community at the time.
In that post, we correlated a Telegram user to the botnet operation and
estimated its size at around 10,000 compromised systems. After a year-long
investigation, we are shedding new light on these conclusions.

 * Key Takeaways
 * Origins of Socks5Systemz
 * A botnet of 250,000 bots
 * The Proxy Service
 * Service Updates
 * Conclusions
 * Indicators of Compromise


KEY TAKEAWAYS

 * Socks5Systemz, identified last year during large-scale distribution campaigns
   involving Privateloader, Smokeloader, and Amadey, has actually been active
   since 2013.
 * This malware was sold as a standalone product or integrated into other
   malware as a SOCKS5 proxy module. Such malware included, at least, Andromeda,
   Smokeloader and Trickbot.
 * In recent months, Bitsight TRACE investigated a Socks5Systemz botnet with
   250,000 compromised systems at its peak, geographically dispersed across
   almost every country in the world.
 * The proxy service PROXY.AM, active since 2016, exploits the botnet to provide
   its users with proxy exit nodes and enable them to pursue broader criminal
   objectives.


ORIGINS OF SOCKS5SYSTEMZ


Image 1: The login page of the Socks5systemz C2 panel.

Socks5Systemz is a proxy malware designed to turn compromised systems into proxy
exit nodes. Its name comes from the text that the threat actor uses in the
backend panel.

Bitsight has described the inner workings of the malware in the previous post,
Although it changed a bit in the last 12 months, this time we will not delve
into the details of Socks5systemz, such as its malware analysis and command and
control protocols. Instead, we will outline the updates made to the malware
later in this post.

Although Bitsight observed multiple distribution campaigns of the malware over
the last year, it remained under the radar until September 2023—not just for us,
but for the entire threat intelligence community, since there were almost zero
references to it. After digging up, we discovered posts in multiple underground
Russian forums linking to the malware dating back to 2013.

The image below shows a post, that was cross posted in multiple forums, where
the actor BaTHNK is selling a “SOCKS5 backconnect system”:


Image 2: Archived post from 2013 on forum XSS, where actor BaTHNK sells a SOCKS5
backconnect system

In the same thread, the actor posted some screenshots of the C2 panel with the
same branding and template that we saw in current Socks5Systemz panels:

ckend panel
Image 3: A comment to a forum post in 2013, where actor BaTHNK posts screenshots
of Socks5Systemz backend panel

The question is:
Why has a malware family that has been around for over a decade only recently
been widely distributed?

The answer may be in one comment on that same thread, where actor Ar3s provided
positive feedback on the malware and BaTHNK ability to customize the malware to
suit customer needs:

e feedback about the malware.
Image 4: A comment in the same thread, auto translated to english, where actor
Ar3s provides positive feedback about the malware.

Ar3s, was one of the most prolific actors in the Russian crimeware scene until
2017, when he was arrested in Belarus in the outcome of Operation Avalanche. He
was charged as the primary operator of the biggest Andromeda botnet, used to
distribute more than 80 different malware families between 2011 and 2017.

After that positive review, BaTHNK adapted the malware to be used as a SOCKS5
proxy module of Andromeda, and a few weeks later, also added support for
Smokeloader.

e (auto-translated from Russian)
Image 5: Actor BaTHNK announces socks5systemz as a proxy module for Andromeda
and Smokeloader malware (auto-translated from Russian)

During our research, we also found a proxy module for Trickbot (2017) with lots
of code similarity and the same functionality as Socks5Systemz. At the time,
Vitali Kremez (rest in peace), conducted an analysis of it.

The use of Socks5Systemz as a proxy module within other malware may explain the
lack of references to it prior to November 2023; it likely operated under the
radar, being detected as part of other malware, and didn’t catch the attention
of the threat intelligence community.


A BOTNET OF 250,000 BOTS

In September 2023, we started to see widely distributed campaigns of
Socks5Systemz using Privateloader, Amadey, and Smokeloader. This was the
standalone version of Socks5Systemz as the final payload. We don’t know why the
modus operandi changed, but it may be linked to shifts in the crimeware
ecosystem that prompted threat actors to adopt this approach.

With the support of the Registrar of Last Resort (RoLR), Bitsight was able to
collect infection telemetry from the botnet due to how bots communicate with the
command and control (C2) servers.

emz.
Image 6: Infected systems telemetry collected from late november 2023 to january
2024 for Socks5Systemz.

The botnet, which we’ve called Socks5Systemz V1, is widely spread around the
world with bots in almost all countries on the planet. In late January 2024, the
daily average of bots was around 250,000.


Image 7: Socks5Systemz V1 botnet geographic dispersion.

The table below lists the top countries affected by Socks5Systemz infections:

Country Infections India 40153 Indonesia 17027 Ukraine 11178 Algeria 8255 Viet
Nam 8047 Russian Federation 7826 Turkey 7288 Brazil 7224 Mexico 6987 Pakistan
6802 Thailand 6452 Philippines 5664 Colombia 5165 Egypt 5164 United States 4784
Argentina 4756 Bangladesh 4432 Morocco 3758 Nigeria 3625 Others 73573

With 250k bots as a daily average, this is a huge botnet in today’s landscape.
For comparison, in its glory days, Andromeda had a 2M daily average—albeit with
a vastly different business model. Similar proxy malware has daily averages
between 15k and 50k bots.

Since January 2024, our telemetry counters have decreased over time. We’re
currently seeing around ~120k bots for the Socks5Systemz v1 botnet.


Image 8: Socks5Systemz botnet telemetry between Nov 2023 and Nov 2024.

The decrease in telemetry can be attributed to two factors:

 * In December 2023, the threat actor lost control of Socks5Systemz V1 and had
   to rebuild the botnet from scratch with a completely different C2
   infrastructure—which we call the Socks5Systemz V2 botnet.
 * Because Socks5Systemz is dropped by loaders (such as Privateloader,
   Smokeloader or Amadey) that persist on the system, new distribution campaigns
   were used to replace old infections with new payloads.

Bitsight TRACE estimates that the current botnet maintains a daily average size
of 85,000 to 100,000 bots.


THE PROXY SERVICE

In our previous post about Socks5Systemz, we linked the malware to a proxy
service called BoostyProxy, which is being sold on Telegram by the actor
'boost'. While this association remains valid, further investigation reveals
that boost is likely just a reseller in a larger operation.

Looking at infrastructure indicators of Socks5Systemz V1 and using the fallback
domain bddns[.]cc (active until November 2023) as a pivot point, we see that its
WHOIS information from 2018-03-06 reveals the original registrant, as well as
the technical, administrative, and billing contacts as:

Name: Alexey Pavlov
Address: ul. Karla Marksa 77 - 41 - Novosibirsk, 314932 - Russia
Phone: +79264921021
Email: unvizik@gmail.com

The same name, phone number and address were used in 2016-01-09 to register the
domain proxy[.]am, with the following WHOIS details:

Domain name: proxy.am
 Registrar: globalar (GlobalAR LLC)
 Status: active

Registrant:
  Alexey Pavlov
  ul. Karla Marksa 77 - 41
  Novosibirsk, 314932
  RU

Administrative contact:
  Alexey Pavlov
  ul. Karla Marksa 77 - 41
  Novosibirsk, 314932
  RU
  hostmaster@globalar.net
  +79264921021

Technical contact:
  Alexey Pavlov
  ul. Karla Marksa 77 - 41
  Novosibirsk, 314932
  RU
  hostmaster@globalar.net
  +79264921021

DNS servers:
  ns1.reg.ru
  ns2.reg.ru

Registered: 2016-01-09
Last modified: 2016-01-09
Expires: 2017-01-09

Upon examining the C2 infrastructure and investigating one of the backconnect
servers associated with Socks5Systemz, operating with the IP address
109.236.51[.]104, between February 2022 and November 2023, passive DNS records
reveal the following:


Figure 9: PDNS records for 109.236.51[.]104

This is an indicator that the IP of a C2 server for Socks5Systemz was reused
from a server that hosted design.proxy[.]am, hpf.proxy[.]am and api.proxy[.]am
on or about 2018-02-12 and 2021-08-30.


Figure 10: Relationship graph between bddns[.]cc, proxy[.]am and
109.235.81[.]104

PROXY.AM markets itself as a service that “provides elite, private and anonymous
proxies”, with plans ranging from $90 to $700 USD.

The main URL for access to the proxy service was https://proxy[.]am, until
November 2023. Since then, the threat actors have registered proxyam[.]one. The
former redirects to this new domain.


Figure 11: Screenshot of Proxy.AM homepage in November 2023

The website advertised a total of around 300,000 proxies in November 2023. Since
then, PROXY.AM redesigned their website and their proxy packages:


Figure 12: New PROXY.AM website in November 2024

Figure 13: PROXY.AM advertised use cases. Mind the “Brute Accounts”.

The service provides contact via telegram and email.


Figure 14: Support addresses for Proxy.AM


SERVICE UPDATES

Between December 2023 and October 2024, some changes in the malware and C2
infrastructure were implemented. Bitsight TRACE observed:

 * New infrastructure:
   * 26 servers in total (14 backconnect servers, 6 C2 servers, 5 nameservers, 1
     fallback)
   * More geographic dispersion across Europe
   * New host providers
   * New fallback domain(s)

 * Malware updates:
   * Updated C2 protocol
   * New RC4 keys, new URL paths, new beacon data format
   * Backconnect protocol is now done over port 2023/TCP
   * Obfuscation! It’s not easy to extract the malware configuration statically

Besides these changes, the core functionality remains unchanged, as detailed in
our previous analysis.


CONCLUSIONS

Proxy malware and proxy services aren’t new, but they’re becoming more relevant
because of the increased offer announced in underground forums and the silent
impact they have in our networks. We’ve covered this kind of malware in the past
and Lumen’s Black Lotus Labs has recently published a similar review of Ngioweb
and NSOCKS. Proxy malware and services enable other types of criminal activity
adding uncontrolled layers of anonymity to the threat actors, so they can
perform all kinds of malicious activity using chains of victim systems.

In this post, we uncovered a possible explanation to how Socks5Systemz has
remained under the radar for the last 10 years by being deployed as a SOCKS5
proxy module for other malware and being detected as other malware and not for
what it is in reality. We also uncovered the proxy service that exploits the
largest Socks5Systemz botnet we know of at the moment.

Bitsight TRACE thanks The Registrar of Last Resort (RoLR) and Lumen’s Black
Lotus Labs for ongoing support in this investigation.

Below are indicators of compromise to help you detect Socks5Systemz in your
network or leverage them for further research. Happy Hunting.


INDICATORS OF COMPROMISE

This section contains IOCs for Socks5Systemz V2


THREAT ACTOR CONTROLLED DNS SERVERS


141.98.234.31
81.31.197.38
45.155.250.90
152.89.198.214
91.211.247.248



COMMAND AND CONTROL


185.208.158.248
185.237.207.107
185.208.158.202
79.132.128.13
176.10.111.126
194.62.105.143



BACKCONNECT SERVERS


195.154.176.209
89.105.201.183
46.8.225.74
88.80.150.13
195.154.174.225
62.210.201.223
185.141.63.209
195.154.173.35
195.154.174.12
62.210.204.81
62.210.204.131
185.141.63.216
195.154.185.134
88.80.148.252



SAMPLES


5260154782dd66c6a7b0e14c077c4b44ed1f483c6708495d0344edf8a14e2b27
36cffd7d54385e0473cb7f7bf2d33910027428837725c4d3649ff1af2d88cb2b
aa93289a23603efc27f70a7eb38f8e81fa7c30f4a5dff71f70c6f2ee583df619
e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00
f6bbff3463d01da463091dc3347f5f42b32378353d2f7ddfab6285ecf0450c14
a2a41ff58541f577ea1580932cc89642e987239a2fa1ccdb33a3029a520ecd0b
fa3fe68c4a784c01e170098296b3212696b611e0239b69a40f4438532ca33e88
54feb0e02729304c1c054e34c3bcb4e76be31b31ec2276187ccc4479378ce130
0fc2f189aa3ebc1ff836079e49dac9758ab5e807d7ab4b42ff37c2376bcc2705
bf34984756336bc78428f3f856be287ef364afa3330cac5facf019c39be73657
b1e5b0e42e039b9711c435d691f1372ec663b2cb5a5d6a733d859d75a9f2d662
f4456c54b840b5650d131ee27ffc9f23b7b3d8344cd88bd2dd2dbad05741e401
c742642edeae783ffdc9efd52f514a5eef830ec115f8e723ee7cfd82ca7c0ba6
dd075ec25d314f2d97d89065239ccb1d6c680d3f08ea94bf59f522545a1546c9
75e722495c157a05b557580863f90b856d6ec229c7cb4974a008c823377369f5



ON THIS PAGE

 * Key takeaways
 * Origins of Socks5Systemz
 * A botnet of 250,000 bots
 * The Proxy Service
 * Service Updates
 * Conclusions
 * Indicators of Compromise


▸ Latest Research




BitSight Technologies, Inc.
111 Huntington Ave, Suite 400
Boston,  MA  02199
United States of America

+1-617-245-0469




Free Cyber Security Reports
 * Security Ratings Snapshot
 * Attack Surface Report
 * Supply Chain Risk Report
 * Marsh McLennan Cyber Risk Report
 * Third-Party Vendor Risk Report

 * BitSight Academy
 * BitSight Knowledge Base
 * Privacy Statement
 * Corporate Social Responsibility Statement
 * Security
 * BitSight Security Ratings Access Terms
 * Website Terms Of Use
 * Get A Free Demo
 * Cybersecurity Glossary
 * Do Not Sell or Share My Personal Information
 * Order Fulfillment Policy
 * Cookie-Präferenzen

Contact Us
© 2024 BitSight Technologies, Inc. and its Affiliates. All Rights Reserved.
 * Facebook
   
 * Instagram
   
 * Linkedin
   
 * Twitter
   
 * YouTube
   


This website uses cookies to enhance user experience, for advertising purposes,
and to analyze traffic on our website as described in our Datenschutzerklärung.
You may choose to consent to our use of these technologies by selecting "Accept"
or select "Required Only" if you do not consent. To change your preferences or
learn more about our use of cookies select "Manage Settings".
Akzeptieren Nur erforderliche Cookies Einstellungen verwalten


Opens in new window
PDF Download
Word Download
Excel Download
PowerPoint Download
Document Download
Explore your accessibility options


close carousel