Socks5Systemz, identified last year during large-scale distribution campaigns involving Privateloader, Smokeloader, and Amadey, has actually been active since 2013.
This malware was sold as a standalone product or integrated into other malware as a SOCKS5 proxy module. Such malware included, at least, Andromeda, Smokeloader and Trickbot.
In recent months, Bitsight TRACE investigated a Socks5Systemz botnet with 250,000 compromised systems at its peak, geographically dispersed across almost every country in the world.
The proxy service PROXY.AM, active since 2016, exploits the botnet to provide its users with proxy exit nodes and enable them to pursue broader criminal objectives.
Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP)
