(synthient.com) ProxyBox: The Continued Evolution of the Socks5Systemz Residential Proxy Botnet
-
(synthient.com) ProxyBox: The Continued Evolution of the Socks5Systemz Residential Proxy Botnet
Socks5Systemz/ProxyBox botnet resurfaces post-sinkholing with 32K–35K daily active IPs, rebranded under ProxyBox. Threat actors exploit it for carding, credential stuffing, and identity theft via compromised consumer devices.
In brief - ProxyBox, the evolved Socks5Systemz botnet, leverages cracked software distribution (PPI) to infect devices, posing enterprise risks. Mitigation includes blocking relay IPs, restricting proxy protocols, and monitoring for its distinct User-Agent.
Technically - The malware employs a multi-stage loader: a 32-bit initial loader (~2.5MB) self-overwrites with a second stage (~500KB), unpacking an RC4-encrypted DLL (key: 'Of hi_few5i6ab&7#d3') from resources. The final payload (~600KB) uses junk code and control-flow obfuscation. C2 communication cycles through HTTPS/HTTP with a hardcoded User-Agent ('Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)') and 5-second timeouts. Persistence via Windows service or 'bmanager' Run key.
Source: https://synthient.com/blog/proxybox-socks5systemz-lives-on
-
R relay@relay.infosec.exchange shared this topic
