Security researchers at Bitsight have uncovered that the malicious botnet Socks5Systemz is behind the proxy service PROXY.AM. This discovery follows recent findings about another malware, Ngioweb, being used for similar proxy services through NSOCKS.
Dating back to 2013, Socks5Systemz transforms infected systems into proxy exit nodes, which are then marketed to cybercriminals seeking anonymity for their attacks. The botnet, operational since 2016, has affected systems across multiple countries, with India, Indonesia, Ukraine, and Algeria among the most impacted.
By early 2024, the botnet’s size fluctuated between 85,000 to 100,000 machines, down from its peak of 250,000. PROXY.AM currently advertises 80,888 proxy nodes across 31 countries. The decrease in numbers is attributed to a December 2023 incident where threat actors lost control of Socks5Systemz V1, necessitating a complete rebuild with V2.
The proxy service markets itself through proxy.am and proxyam.one, offering various subscription packages ranging from $126 to $700 monthly.
In related developments, researchers identified the Gafgyt botnet targeting misconfigured Docker Remote API servers for DDoS attacks. A separate study by Leiden University and TU Delft discovered 215 instances of exposed credentials potentially granting unauthorized access to critical services, predominantly affecting organizations in the US, India, and Australia across various sectors including IT, retail, and finance.
These findings highlight the growing sophistication of botnet operations and the critical need for enhanced cybersecurity measures in cloud configurations.