A stealthy malware called Socks5Systemz, active since 2013 but largely overlooked until recently, has emerged as the backbone of a global botnet that, at its peak, compromised up to 250,000 systems. Originally a low-profile SOCKS5 proxy module embedded within other malware, Socks5Systemz has evolved into a standalone threat, targeting India, Indonesia, Ukraine, Algeria, Vietnam, Russia, Turkey, Brazil, Mexico, Pakistan, Thailand, Philippines, Colombia, Egypt, United States, Argentina, Bangladesh, Morocco, and Nigeria.
Researchers have unearthed this malware during large-scale distribution campaigns involving famous loaders like Privateloader, Smokeloader, and Amadey. The malware was largely unremarked until 2023. The malware remained under the radar despite its decade-long existence, often mistaken for other malware.
Experts discovered that Socks5Systmez was often integrated with Andromeda, Smokeloader, and Trickbot.
Key to its stealth was its role as a SOCKS5 proxy module embedded within these larger malware families. As a result, it evaded direct scrutiny from cybersecurity professionals, operating as a silent enabler of malicious activities.
“The use of Socks5Systemz as a proxy module within other malware may explain the lack of references to it prior to November 2023; it likely operated under the radar, being detected as part of other malware, and didn’t catch the attention of the threat intelligence community,” researchers explained.
Of the 250,000 compromised systems, India led the infection statistics with over 40,000 compromised devices, followed by countries like Indonesia, Ukraine, and Algeria.
However, as researchers discovered, this dominance was short-lived. In December 2023, the threat actors behind Socks5Systemz lost control of their infrastructure, necessitating the creation of a new botnet dubbed Socks5Systemz V2. This new iteration currently maintains a smaller but still substantial daily average of 85,000-100,000 bots.
At the heart of Socks5Systemz’s operations is its connection to PROXY.AM, a proxy service active since 2016. Researchers investigated and linked the botnet’s command-and-control (C2) infrastructure to this service, which is marketed as providing “elite, private, and anonymous proxies.”
PROXY.AM, with packages ranging from $90 to $700, enables clients to use compromised systems as proxy exit nodes, obfuscating their activities and facilitating broader criminal operations.
In November 2023, PROXY.AM reportedly managed approximately 300,000 proxies.
Over the past year, Socks5Systemz has undergone significant updates to its malware and infrastructure:
- Enhanced geographic dispersion of its server across Europe.
- New communication protocols, including RC4 encryption and obfuscation techniques.
- A revamped fallback domain system to ensure resilience against takedowns.
Despite these changes, researchers discovered that the malware’s core functionality — turning compromised devices into SOCKS5 proxies — remains unchanged.
“Proxy malware and proxy services aren’t new, but they’re becoming more relevant because of the increased offer announced in underground forums and the silent impact they have in our networks,” cyber experts concluded. “Proxy malware and services enable other types of criminal activity adding uncontrolled layers of anonymity to the threat actors, so they can perform all kinds of malicious activity using chains of victim systems.”
In the News: Meta eyes nuclear power to drive AI-powered solutions
