Bitsight uncovered Socks5Systemz, a proxy botnet delivered by the PrivateLoader and Amadey loaders, turning infected devices into backconnect proxies and offering a subscription-based service. The operation spans Europe with around 10,000 infected hosts, a login panel tied to proxy bot C2 servers, and a substantial infrastructure including hardcoded DNS resolvers and RC4-based C2 beacons. #Socks5Systemz #Boost
Keypoints
- Proxy botnet Socks5Systemz is distributed via PrivateLoader and Amadey loaders.
- Infected systems are turned into proxies for clients, with a crypto-based subscription model.
- The campaign spans global victims, with an approximate 10,000 infected hosts and Europe as a major footprint.
- The infrastructure includes proxy bot C2 servers, backconnect servers, DNS servers, a telemetry/updates server, and a proxy checker app (about 53 servers identified).
- A Telegram actor named boost/BostyProxy/B0ost is involved in selling access and managing a proxy service.
- Loader and proxy bot persistence relies on a Windows service (ContentDWSvc) and in-memory injection, with attempts to replace GoogleUpdate.exe if needed.
- Beacons and C2 communications use RC4 encryption and a domain-generation/DNS-resolver workflow to reach active C2 endpoints (e.g., bddns.cc, datasheet.fun).
MITRE Techniques
- [T1543.003] Create or Modify System Process β Windows Service β The install option sets up persistence by copying the loader and creating a Windows service named ContentDWSvc. βThe install option is responsible for setting up the persistence on the system and to do so it will try to copy the loader to C:ProgramDataContentDWSvcContentDWSvc.exe and create a Windows service to run the copied loader with both the name and display name set to ContentDWSvc.β
- [T1055] Process Injection β The loader injects the proxy bot in memory. βThe decrypted data will be a valid DLL file containing the proxy bot that will be injected in memory.β
- [T1027] Obfuscated/Compressed Files or Information β The loader decrypts a resource to obtain the payload that will be injected as a DLL. βThe loader main function will load the resource with ID 400 to memory and decrypt it. The decrypted data will be a valid DLL file containing the proxy bot that will be injected in memory.β
- [T1036] Masquerading β The loader replaces GoogleUpdate.exe to masquerade as a legitimate process. βIf file copy or service creation fails, the loader will try to kill all Google update processes and replace the GoogleUpdate.exe original executable by itself.β
- [T1071.001] Web Protocols β The bot communicates via HTTP, including GET requests to obtain C2 addresses and to fetch commands. βThe bot is ready to start the C2 communications by doing a HTTP GET request to the following endpoint /single.php?c=.β
Indicators of Compromise
- [IP] context β 109.230.199.181, 185.141.63.172, proxy bot C2 frontend (examples from infrastructure)
- [IP] context β 109.236.81.104, 109.236.88.134, and other DNS/Backconnect hosts (examples from infrastructure)
- [Domain] context β bddns[.]cc (C2 address retrieval), datasheet[.]fun (telemetry server)
- [Hash] proxy bot payload β fee88318e738b160cae22f6c0f16c634fd16dbf11b9fb93df5d380b6427ac18f
- [Hash] loader payload β dc262539467bf34e5059686955d6567efadd8e21c76be51eba94737d8c326720
- [File] loader β previewer.exe (loader dropped by PrivateLoader/Amadey)
- [File] installed loader path β C:ProgramDataContentDWSvcContentDWSvc.exe (persistence target)
- [File] packed/multi-hash payloads β long list of hashes (and 2 more hashes)