Check out the latest #socks5systemz #malware indicators: https://github.com/reversinglabs/reversinglabs-siem-rules/tree/master/Malware/Socks5Systemz/20240118/KQL
*.himanfast[.]com
*.topteamlife[.]com
*.hitsturbo[.]com
*.ayazprak[.]com
check[.]graspalace[.]com
@da_667 That’s a good question! By the looks of the TCP 1074 traffic the connect messages start with two or three null bytes, followed by a 16 bit length field in little endian byte order. The length is the number of characters in the string that follows. Then comes whatever string the C2 server provided after ip= in the c=connect command, followed by the client_id in reversed byte order.
The #Socks5Systemz backconnect message format is something like this:[null bytes][length][ip string][client_id]
There are also other message types, but they start with other values than 0x00. One example is when the C2 server sends the c=updips command, after which the client connects back to TCP 1074 and sends data starting with 0x02 instead. The actual backconnect proxy traffic uses 0x01.
The RC4 cipher is actually reset with every C2 message 🤪🤣 This makes it possible to detect #Socks5Systemz bot checkins with a static signature that looks for GET requests that have a QueryString starting with c=94bf3661c794e3eb1ba4.
It’s also possible to identify the C2 commands from the server without having to decrypt them. Here’s a translation table:
Aaron Hoffmann
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
94ee3b6dda83d3ec11fc3742 ➡️ c=disconnect94ee3660c585 ➡️ c=idle94ee2a74cd89ccf1 ➡️ c=updips94ee3c6bc78ed9e10b ➡️ c=connectThe C2 protocol in BitSight’s Unveiling Socks5Systemz seems to be identical to what’s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!
They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.
"🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"
The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.
We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.
BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗
Source: BitSight Blog
Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍
This malware infiltrates computers and transforms them into proxies for forwarding traffic, which can be used for malicious, illegal, or anonymous purposes.
🛡 
securityaffairs
Freemind