Hacked proxy service has already infected 10,000 systems worldwide with malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers at BitSight have discovered a major proxy botnet encompassing more than 10,000 infected devices. The data bandwidth of these devices is then sold to third parties on the dark web, for cryptocurrencies, usually to other cybercriminals.

As reported by BleepingComputer, the proxy botnet that was discovered is called Socks5Systemz. Unidentified hackers have been using two separate loaders, namely PrivateLoader and Amadey, to infect the endpoints and assimilate them into the proxy botnet.

The loaders were usually distributed via phishing, different exploit kits, malicious ads, fake programs, cracks, keygens, and similar. Operators can then sell access to these devices to subscribers, who pay anywhere between $1 and $140 to access them and reroute their traffic.

Victims are everywhere

We don’t know exactly how much money the operators acquired by selling the service, but we do know that it’s been active since at least 2016, successfully flying under everyone’s radar. 

BitSight’s researchers managed to identify a major control infrastructure, comprising 53 proxy bot, backconnect, DNS, and address acquisition servers located around Europe (but mostly France, the Netherlands, Sweden, and Bulgaria). 

The victims are located all over the world, but most infections are in India, the U.S., Brazil, Colombia, South Africa, Argentina, and Nigeria. 

Proxy botnets are nothing new and have been around for ages. Last summer, AT&T Alien Labs reported of malware being distributed through game cracks and other illegal software, targeting Windows users and turning their devices into botnet endpoints.

The malware silently downloaded and installed a proxy application, without user knowledge or consent. Antivirus programs weren’t flagging the proxy application as malicious, either.

Apparently, more than 400,000 Windows systems were compromised this way. 

To make matters worse, the company behind the botnet claimed that all of the victims gave their consent, and willingly became part of the proxy infrastructure. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.