MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 325: Understanding Socks5systemz - a robot network malware

Reference Number ACG-CSB 122823325

   The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200- 012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

In order to fully understand how this malware works, one needs to be aware of a few concepts, and one of them is the Proxy server. A proxy server, as defined by TechTarget, is a dedicated computer or a software system running on a computer that acts as an intermediary between an endpoint device. It is the link between a computer, and another server from which a user or client is requesting a service. Another concept is botnet. As defined by Cloudflare, A botnet is a group of computers that have been infected by malware and have come under the control of a malicious actor. Botnets can be designed to accomplish illegal or malicious tasks including sending spam and Distributed Denial-of-Service (DDoS).

The socks5systemz malware turns victims’ devices into proxies for forwarding traffic. The malware infects computers and turns them into traffic-forwarding proxies for malicious, illegal, or anonymous traffic. It sells this service to subscribers who pay between $1 and $140 per day in cryptocurrency. The Socks5Systemz proxy botnet, as described in a detailed report by BitSight, has been around since at least 2016 but has remained relatively under the radar until recently.

The Socks5Systemz bot is distributed by the PrivateLoader, a downloader malware family that is used as part to deliver payloads of multiple malware families, and Amadey malware, which has a primary function of stealing information and further distributing malware. This is often acquired by victims from phishing, exploit kits, malvertising, and trojanized executables downloaded from the seem to be legitimate websites. Once installed, the malware loaders drop and execute a file named previewer.exe, which ultimately causes the execution of the botnet, the malware initiates a session with the backconnect server via port 1074/TCP, utilizing a custom binary protocol. Once the session has been established, the bot can serve as a proxy. This makes it part of the pool of available proxies that can be used to send traffic on behalf of client.

Some possible symptoms include, but are not limited to: the inability to restart the computer in safe mode, a significant increase in disk activity, a significant increase in network traffic, and notably slow network activity. One might also see the creation of new files and directories with obfuscated or random names. Experiencing any of the mentioned effects above, one’s computer might be under attack and can potentially be compromised, as well as the network.

The Socks5Systemz proxy botnet has a worldwide impact, with infections observed across the globe. According to BleepingComputer, analysts recorded 10,000 distinct communication attempts over port 1074/TCP with the identified backconnect servers. The discovery of the Socks5Systemz proxy botnet highlights the ongoing danger that cybercriminals pose to the digital world. The proxy bot relies on a domain generation algorithm (DGA) to evade detection and enhance the botnet’s resilience to takedown.

Lastly, in order to stay protected from the current threat, it is recommended to deploy detection tools and firewalls. This botnet can harm individuals and an entire network of compromised systems.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim of Socks5systemz malware attacks:

  • Implement intrusion detection systems and continuously monitor network traffic for unusual patterns to promptly detect and respond to any suspicious or malicious activity, which may indicate the presence of a proxybotnet.
  • Implement email filtering and phishing detection solutions to block malicious emails.
  • Install updated antivirus and anti-malware software to detect and prevent threats.
  • Regularly update your operating systems and software applications to patch any vulnerabilities that can be exploited.
  • It is a must to have a strong and unique password and enable two-factor authentication.
  • Stay informed to threat intelligence services to stay informed about emerging threats.

For additional information, please refer to the following websites:

  • https://www.techtarget.com/whatis/definition/proxy-server
  • https://www.cloudflare.com/en-gb/learning/ddos/what-is-a-ddos-botnet/
  • https://securityaffairs.com/153658/cyber-crime/socks5systemz-proxy-botnet.html
  • https://www.bleepingcomputer.com/news/security/socks5systemz-proxy-service-infects-10-000-systems-worldwide/
  • https://gridinsoft.com/blogs/socks5systemz-proxy-service/

 

POINT OF CONTACT

          Please contact PMAJ LESLIE P JALLORINA, Police Community Relations Officer, thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us by telephone number (+632) 723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.