Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey

Cyber Security Threat Summary:
According to a new report by Cybersecurity firm Bitsight, threat actors are using PrivateLoader and Amadey loaders to distribute a proxy botnet, dubbed Socks5Systemz. Socks5Systemz’s infrastructure is extensive and encompasses 53 proxy bot, backconnect, DNS, and address acquisition servers, which are distributed across France, Bulgaria, Netherlands, and Sweden. Although Socks5Systemz has been around since 2016, it has remained under the radar until recently, with researchers noting that the botnet has infected 10,000 systems across the globe. Based on telemetry gathered, most infections have compromised users in India, followed by Brazil, Colombia, South Africa, Bangladesh, Argentina, Angola, the United States, Suriname, and Nigeria.

Security Officer Comments:
Socks5Systemz is a 300 KB 32-bit DLL that employs a domain generation algorithm (DGA) system to connect with its C2 server and send profiling info on the infected machine. As a proxy service, Socks5Systemz allows cybercriminals to rent a set of IP addresses, enabling a level of anonymity on the internet. The service is currently being sold to cybercriminals in different subscription packages, ranging from 1$ to $4000, with the “VIP” subscription supporting multithreading and all types of proxy traffic (socks4, socks5, and http). To use the Proxy, researchers note that clients need to know the backconnect server's IP address as well as the TCP port assigned to the infected system,

Suggested Correction(s):
PrivateLoader and Amadey malware which are being used to load Socks5Systemz are commonly distributed via phishing and malvertising. As such, organizational training and awareness of these types of tactics are important in deterring potential infections.

Bitsight has included Socks5Systemz IOCs in its blog post which can be used for detection purposes.