One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8623800 |
| Date de publication | 2024-12-12 02:01:48 (vue: 2024-12-12 03:08:36) |
| Titre | Socks5Systemz Botnet Creates Massive Proxy Network Through 250,000 Infected Systems Worldwide |
| Texte | ## Snapshot Bitsight TRACE\'s security research team has uncovered extensive details about the Socks5Systemz botnet. Since 2013, the malware has been covertly sold or integrated into other malware, including Andromeda, Smokeloader, and [Trickbot](https://sip.security.microsoft.com/intel-profiles/5a0aed1313768d50c9e800748108f51d3dfea6a4b48aa71b630cff8979882f7c). ## Description Socks5Systemz was initially believed to have around 10,000 compromised systems, but it was later discovered to have peaked at 250,000 bots, with a presence in nearly every country. The botnet, which has been used by the proxy service PROXY.AM since 2016, provides anonymous proxy exit nodes for criminal activities. The integration of Socks5Systemz as a proxy module within other malware might explain the absence of references to it before September 2023, when it made headlines as part of broad distribution campaigns involving loaders like [Privateloader](https://sip.security.microsoft.com/intel-profiles/49921aa8f61714680f9645c77fad076c9439af357597272d874d7d0073910c99), Smokeloader, and Amadey. Prior to 2023, Socks5Systemz likely operated covertly, being detected as part of other malware, and thus escaped the notice of the threat intelligence community. The botnet\'s size has since decreased to an estimated 120,000 bots due to the threat actor losing control and having to rebuild the botnet with a new command and control (C2) infrastructure, now referred to as Socks5Systemz V2. The malware is also linked to BoostyProxy, a service sold on Telegram by an actor named \'boost\', who is believed to be a reseller in a larger operation. Alexey Pavlov from Novosibirsk, Russia, has been identified as a key registrant associated with the proxy service. As of October 2024, Bitsight TRACE has observed recent updates to the malware, including new servers, geographic dispersion, host providers, fallback domains, an updated C2 protocol and obfuscation techniques. The core functionality of the malware, however, has remained unchanged. ## Microsoft Analysis and Additional OSINT Context Botnet threats have made headlines in recent months, continuing to evolve and posing risks to both individual users and critical infrastructure. Recent examples include the FBI\'s disruption of the [Flax Typhoon botnet](https://www.cybersecuritydive.com/news/us-takedown-china-botnet/727501/), which compromised over 260,000 devices to target critical infrastructure. Additionally, emerging botnet families are targeting Linux and Internet of Things (IoT) devices, exemplified by the [Ngioweb botnet](https://sip.security.microsoft.com/intel-explorer/articles/44f917c6), which exploits vulnerabilities in various IoT devices to turn them into residential proxies sold on the black market. The [emergence of new botnet families like Gorilla](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023), which draws from the infamous Mirai botnet source code, indicates a trend towards more aggressive and widespread attacks. GorillaBot has issued over 300,000 attack commands in a single month, targeting a wide range of sectors across more than 100 countries. This botnet\'s high attack density and focus on distributed denial-of-service (DDoS) attacks illustrate the growing complexity and impact of botnet threats. [Research by](https://nsfocusglobal.com/company-overview/resources/botnet-trends-2023-review-and-2024-predictions/) [NSFOCUS](https://nsfocusglobal.com/company-overview/resources/botnet-trends-2023-review-and-2024-predictions/) revealed that distributed denial-of-service (DDoS) was the most common botnet attack vector 2023. ## Recommendations **Microsoft recommends the following mitigations to reduce the impact of botnets.** - [Restrict automatic prompts](https://support.microsoft.com/en-us/windows/automatic-file-download-notifications-in-windows-dc73c9c9-1b4c-a8b7-8d8b-b471736bb5a0) for non-user-initiated file downloads. - [Enable Safe Links](https://learn.microsoft.com/en-us/powershell/module |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© **microsoft *microsoft 000 100 120 1b4c 2013 2016 2023 2024 2024** 2147128132 2147128333 2147132497 250 260 300 365 365/zero 8d8b a8b7 about absence accessed acquired across activities actor additional additionally aggressive alexey all already also amadey analysis andromeda and anonymous antivirus any are around artifacts associated attachments attack attacks auto automatic b471736bb5a0 backdoor:win32/multiverze been before being believed bitsight black block boost boostyproxy both botnet botnet#new botnet/727501/ botnets bots broad but campaigns can china code com/blog/proxyam com/company com/en com/intel com/news/us command commands common community complexity components compromised content context control copyright core countries country covertly creates criminal critical cybersecuritydive dc73c9c9 ddos decreased defender delivered denial density description details detect detected detection detections/hunting detects devices discovered dispersion disruption distributed distribution does domains download downloads draws due edr email emergence emerging enable enable encyclopedia endpoint endpoint/edr escaped estimated even every evolve examples exemplified exit explain exploits explorer/articles/0bcef023 explorer/articles/44f917c6 extensive fallback families fbi file flax focus following from functionality geographic gorilla gorillabot growing has have having headlines high host hour however https://learn https://nsfocusglobal https://sip https://support https://www ic&threatid= identified illustrate impact include including including new indicates individual infamous infected infrastructure initially initiated integrated integration intelligence internet involving iot issued key larger later like like linked links linux loaders losing made mail mailboxes malicious malware malware:* market massive messages microsoft might mirai mitigations mode module month months more most mtb&threatid= name=trojan:msil/privateloader name=trojan:win32/privateloader name=trojan:win32/smokeloader name=trojan:win64/privateloader name=win32/trickbot named nearly network neutralize new newly ngioweb nodes non not notice notifications novosibirsk now nsfocus obfuscation observed october office operated operation osint other over overview/resources/botnet part passive pavlov peaked permission phishing posing powered predictions/ presence prior privateloader profiles/49921aa8f61714680f9645c77fad076c9439af357597272d874d7d0073910c99 profiles/5a0aed1313768d50c9e800748108f51d3dfea6a4b48aa71b630cff8979882f7c prohibited prompts protocol providers provides proxies proxy purge quarantine queries range rebuild recent recommendations recommends reduce references referred registrant remained reproduction research reseller reserved residential response response restrict retroactively revealed review rights risks run running russia safe safeattachmentrule safelinksrule sectors security sent september servers service since single site size smokeloader snapshot socks5systemz socks5systemz likely sold source spam systems tab takedown target targeting team techniques telegram than that distributed them thereof the things threat threats through thus towards trace trend trends trickbot trojan:msil/privateloader trojan:win32/alevaul trojan:win32/ekstak trojan:win32/icloader trojan:win32/multiverze trojan:win32/privateloader trojan:win32/smokeloader trojan:win32/stealc trojan:win32/trickbot trojan:win64/privateloader turn typhoon unchanged uncovered updated updates us/defender us/powershell/module/exchange/enable us/powershell/module/exchange/set us/wdsi/threats/malware us/windows/automatic used user users various vector view=exchange vulnerabilities when which who wide widespread windows within without worldwide written your zap zero bitsight continuing for in protection so |
| Tags | Spam Malware Vulnerability Threat Prediction |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.