PROXY.AM Powered by Socks5Systemz Botnet

Dec. 4, 2024, 10:26 a.m.

Description

The Socks5Systemz botnet, active since 2013, has been operating under the radar by integrating with other malware as a SOCK5 proxy module. Recently, it has grown to 250,000 compromised systems globally. The botnet powers PROXY.AM, a service providing proxy exit nodes for criminal activities. Originally sold as standalone malware, Socks5Systemz was adapted for use in Andromeda, Smokeloader, and Trickbot. The botnet's size fluctuates, with recent estimates ranging from 85,000 to 100,000 daily active bots. PROXY.AM, registered in 2016, offers 'elite, private and anonymous proxies' for various purposes, including account brute-forcing. The malware has undergone recent updates, including new infrastructure and obfuscation techniques.

External References

https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet
https://otx.alienvault.com/pulse/67502c40a650db434a39ed47
Tags
botnet
proxy
2024-12-04
socks5
socks5systemz

Date

  • Created: Dec. 4, 2024, 10:17 a.m.
  • Published: Dec. 4, 2024, 10:17 a.m.
  • Modified: Dec. 4, 2024, 10:26 a.m.

Indicators

  • fa3fe68c4a784c01e170098296b3212696b611e0239b69a40f4438532ca33e88
  • f6bbff3463d01da463091dc3347f5f42b32378353d2f7ddfab6285ecf0450c14
  • f4456c54b840b5650d131ee27ffc9f23b7b3d8344cd88bd2dd2dbad05741e401
  • e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00
  • dd075ec25d314f2d97d89065239ccb1d6c680d3f08ea94bf59f522545a1546c9
  • c742642edeae783ffdc9efd52f514a5eef830ec115f8e723ee7cfd82ca7c0ba6
  • bf34984756336bc78428f3f856be287ef364afa3330cac5facf019c39be73657
  • b1e5b0e42e039b9711c435d691f1372ec663b2cb5a5d6a733d859d75a9f2d662
  • aa93289a23603efc27f70a7eb38f8e81fa7c30f4a5dff71f70c6f2ee583df619
  • a2a41ff58541f577ea1580932cc89642e987239a2fa1ccdb33a3029a520ecd0b
  • 75e722495c157a05b557580863f90b856d6ec229c7cb4974a008c823377369f5
  • 54feb0e02729304c1c054e34c3bcb4e76be31b31ec2276187ccc4479378ce130
  • 5260154782dd66c6a7b0e14c077c4b44ed1f483c6708495d0344edf8a14e2b27
  • 36cffd7d54385e0473cb7f7bf2d33910027428837725c4d3649ff1af2d88cb2b
  • 0fc2f189aa3ebc1ff836079e49dac9758ab5e807d7ab4b42ff37c2376bcc2705
  • 91.211.247.248
  • 89.105.201.183
  • 88.80.150.13
  • 88.80.148.252
  • 81.31.197.38
  • 79.132.128.13
  • 45.155.250.90
  • 194.62.105.143
  • 185.237.207.107
  • 185.208.158.248
  • 185.208.158.202
  • 176.10.111.126
  • 152.89.198.214
  • 141.98.234.31
  • 109.236.51.104
  • 109.235.81.104
  • 46.8.225.74
  • 195.154.185.134
  • 195.154.173.35
  • 185.141.63.216
  • 185.141.63.209
  • 62.210.201.223
  • https://proxy.am
  • hpf.proxy.am
  • design.proxy.am
  • api.proxy.am
  • proxyam.one
  • proxy.am
Download all indicators here!

Attack Patterns

  • TSPY_TRICKLOAD
  • Socks5Systemz
  • Amadey - S1025
  • Totbrick
  • TrickBot - S0266
  • ANDROMEDA - S1074
  • SmokeLoader
  • PrivateLoader
  • Socks5Systemz

Additional Informations

  • British Indian Ocean Territory
  • Algeria
  • India
  • Indonesia
  • Mexico
  • Pakistan
  • Ukraine
  • Brazil
  • Russian Federation