{ "name": "PROXY.AM Powered by Socks5Systemz Botnet", "slug": "proxyam-powered-by-socks5systemz-botnet", "description": "The Socks5Systemz botnet, active since 2013, has been operating under the radar by integrating with other malware as a SOCK5 proxy module. Recently, it has grown to 250,000 compromised systems globally. The botnet powers PROXY.AM, a service providing proxy exit nodes for criminal activities. Originally sold as standalone malware, Socks5Systemz was adapted for use in Andromeda, Smokeloader, and Trickbot. The botnet's size fluctuates, with recent estimates ranging from 85,000 to 100,000 daily active bots. PROXY.AM, registered in 2016, offers 'elite, private and anonymous proxies' for various purposes, including account brute-forcing. The malware has undergone recent updates, including new infrastructure and obfuscation techniques.", "published": "2024-12-04T09:17:36+00:00", "created_at": "2024-12-04T09:17:36+00:00", "modified_at": "2024-12-04T09:26:17+00:00", "created_at_opencti": "2024-12-04T09:17:36+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-12-04", "botnet", "proxy", "socks5", "socks5systemz" ], "related_entities": { "observables": [ { "id": "", "name": "91.211.247.248" }, { "id": "", "name": "89.105.201.183" }, { "id": "", "name": "88.80.150.13" }, { "id": "", "name": "88.80.148.252" }, { "id": "", "name": "81.31.197.38" }, { "id": "", "name": "79.132.128.13" }, { "id": "", "name": "45.155.250.90" }, { "id": "", "name": "194.62.105.143" }, { "id": "", "name": "185.237.207.107" }, { "id": "", "name": "185.208.158.248" }, { "id": "", "name": "185.208.158.202" }, { "id": "", "name": "176.10.111.126" }, { "id": "", "name": "152.89.198.214" }, { "id": "", "name": "141.98.234.31" }, { "id": "", "name": "109.236.51.104" }, { "id": "", "name": "109.235.81.104" }, { "id": "", "name": "46.8.225.74" }, { "id": "", "name": "195.154.185.134" }, { "id": "", "name": "195.154.173.35" }, { "id": "", "name": "185.141.63.216" }, { "id": "", "name": "185.141.63.209" }, { "id": "", "name": "62.210.201.223" }, { "id": "", "name": "https://proxy.am" }, { "id": "", "name": "hpf.proxy.am" }, { "id": "", "name": "design.proxy.am" }, { "id": "", "name": "api.proxy.am" }, { "id": "", "name": "proxyam.one" }, { "id": "", "name": "proxy.am" }, { "id": "", "name": "fa3fe68c4a784c01e170098296b3212696b611e0239b69a40f4438532ca33e88" }, { "id": "", "name": "f6bbff3463d01da463091dc3347f5f42b32378353d2f7ddfab6285ecf0450c14" }, { "id": "", "name": "f4456c54b840b5650d131ee27ffc9f23b7b3d8344cd88bd2dd2dbad05741e401" }, { "id": "", "name": "e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00" }, { "id": "", "name": "dd075ec25d314f2d97d89065239ccb1d6c680d3f08ea94bf59f522545a1546c9" }, { "id": "", "name": "c742642edeae783ffdc9efd52f514a5eef830ec115f8e723ee7cfd82ca7c0ba6" }, { "id": "", "name": "bf34984756336bc78428f3f856be287ef364afa3330cac5facf019c39be73657" }, { "id": "", "name": "b1e5b0e42e039b9711c435d691f1372ec663b2cb5a5d6a733d859d75a9f2d662" }, { "id": "", "name": "aa93289a23603efc27f70a7eb38f8e81fa7c30f4a5dff71f70c6f2ee583df619" }, { "id": "", "name": "a2a41ff58541f577ea1580932cc89642e987239a2fa1ccdb33a3029a520ecd0b" }, { "id": "", "name": "75e722495c157a05b557580863f90b856d6ec229c7cb4974a008c823377369f5" }, { "id": "", "name": "54feb0e02729304c1c054e34c3bcb4e76be31b31ec2276187ccc4479378ce130" }, { "id": "", "name": "5260154782dd66c6a7b0e14c077c4b44ed1f483c6708495d0344edf8a14e2b27" }, { "id": "", "name": "36cffd7d54385e0473cb7f7bf2d33910027428837725c4d3649ff1af2d88cb2b" }, { "id": "", "name": "0fc2f189aa3ebc1ff836079e49dac9758ab5e807d7ab4b42ff37c2376bcc2705" } ], "malware": [ { "id": "legacy:malware:fdd36483dcfb1131", "name": "TSPY_TRICKLOAD", "slug": "tspy_trickload" }, { "id": "legacy:malware:654b5a6d590af700", "name": "Socks5Systemz", "slug": "socks5systemz" }, { "id": "legacy:malware:760697ec60a50988", "name": "Amadey - S1025", "slug": "amadey-s1025" }, { "id": "legacy:malware:ae6ad40a7dab1a1c", "name": "Totbrick", "slug": "totbrick" }, { "id": "legacy:malware:5afd3cb672567b24", "name": "TrickBot - S0266", "slug": "trickbot-s0266" }, { "id": "legacy:malware:2b41c2653abe38a9", "name": "ANDROMEDA - S1074", "slug": "andromeda-s1074" }, { "id": "legacy:malware:cc57575058c6dacb", "name": "SmokeLoader", "slug": "smokeloader" }, { "id": "legacy:malware:1530123b33559dbd", "name": "PrivateLoader", "slug": "privateloader" } ], "intrusion_sets": [ { "id": "3f23eeb3-13a4-46d9-9a0c-28dc96e9ac06", "name": "Socks5Systemz", "slug": "socks5systemz" } ], "attack_patterns": [ { "id": "4bbdf41c-817c-448a-9513-aaea6bfbe8b4", "name": "T1568" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf", "name": "T1584" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" } ], "others": [ { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "Algeria" }, { "id": "", "name": "India" }, { "id": "", "name": "Indonesia" }, { "id": "", "name": "Mexico" }, { "id": "", "name": "Pakistan" }, { "id": "", "name": "Ukraine" }, { "id": "", "name": "Brazil" }, { "id": "", "name": "Russian Federation" } ] }, "external_refs": [ "https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet", "https://otx.alienvault.com/pulse/67502c40a650db434a39ed47" ] }