Attacks leveraging the Amadey and PrivateLoader malware to deploy the Socks5Systemz proxy botnet have compromised 10,000 devices around the world since the beginning of October, most of which are from India, the U.S., Brazil, Colombia, and South Africa, reports BleepingComputer.
Recent intrusions involved the delivery of the "previewer.exe" sample that would facilitate proxy bot injection into memory and persistence through the "ContentDWSvc" Windows service, according to a BitSight report. Researchers discovered that the proxy bot payload, which comes as a DLL file, establishes a command-and-control server connection through a domain generation algorithm system, which when achieved would allow the usage of the compromised device as a proxy server.
Further analysis revealed that Socks5Systemz had 53 proxy bot, DNS, address acquisition, and backconnect servers across Europe, but mostly in France, and offered two subscription tiers for its proxying services.
Such a development comes after AT&T Alien Labs discovered more than 400,000 nodes leveraged as part of a massive botnet.