home.social

#socks5systemz โ€” Public Fediverse posts

Live and recent posts from across the Fediverse tagged #socks5systemz, aggregated by home.social.

  1. Check out the latest #socks5systemz #malware indicators: github.com/reversinglabs/rever

    *.himanfast[.]com
    *.topteamlife[.]com
    *.hitsturbo[.]com
    *.ayazprak[.]com
    check[.]graspalace[.]com

  2. Check out the latest #socks5systemz #malware indicators: github.com/reversinglabs/rever

    *.himanfast[.]com
    *.topteamlife[.]com
    *.hitsturbo[.]com
    *.ayazprak[.]com
    check[.]graspalace[.]com

  3. Check out the latest #socks5systemz #malware indicators: github.com/reversinglabs/rever

    *.himanfast[.]com
    *.topteamlife[.]com
    *.hitsturbo[.]com
    *.ayazprak[.]com
    check[.]graspalace[.]com

  4. ๐Ÿ›ก๏ธ #CyberSecurity Update: Socks5Systemz Proxy Botnet ๐Ÿ›ก๏ธ

    The Socks5Systemz Proxy Botnet, propagated through PrivateLoader and Amadey malware loaders, has managed to infiltrate roughly 10,000 systems worldwide. Researchers have unveiled that this botnet has been operational since 2016, maintaining a low profile until its recent discovery.

    accessystem.com/it-solutions/c

    #CyberSecurity #Socks5Systemz #Malware #PrivateLoader #ProxyBotnet #MalwareAttack #ACCESSYSTEM #Dubai #Doha #Qatar #UAE #India

  5. ๐Ÿ›ก๏ธ #CyberSecurity Update: Socks5Systemz Proxy Botnet ๐Ÿ›ก๏ธ

    The Socks5Systemz Proxy Botnet, propagated through PrivateLoader and Amadey malware loaders, has managed to infiltrate roughly 10,000 systems worldwide. Researchers have unveiled that this botnet has been operational since 2016, maintaining a low profile until its recent discovery.

    accessystem.com/it-solutions/c

    #CyberSecurity #Socks5Systemz #Malware #PrivateLoader #ProxyBotnet #MalwareAttack #ACCESSYSTEM #Dubai #Doha #Qatar #UAE #India

  6. @da_667 Thatโ€™s a good question! By the looks of the TCP 1074 traffic the connect messages start with two or three null bytes, followed by a 16 bit length field in little endian byte order. The length is the number of characters in the string that follows. Then comes whatever string the C2 server provided after ip= in the c=connect command, followed by the client_id in reversed byte order.

    The #Socks5Systemz backconnect message format is something like this:
    [null bytes][length][ip string][client_id]

    There are also other message types, but they start with other values than 0x00. One example is when the C2 server sends the c=updips command, after which the client connects back to TCP 1074 and sends data starting with 0x02 instead. The actual backconnect proxy traffic uses 0x01.

  7. @da_667 Thatโ€™s a good question! By the looks of the TCP 1074 traffic the connect messages start with two or three null bytes, followed by a 16 bit length field in little endian byte order. The length is the number of characters in the string that follows. Then comes whatever string the C2 server provided after ip= in the c=connect command, followed by the client_id in reversed byte order.

    The #Socks5Systemz backconnect message format is something like this:
    [null bytes][length][ip string][client_id]

    There are also other message types, but they start with other values than 0x00. One example is when the C2 server sends the c=updips command, after which the client connects back to TCP 1074 and sends data starting with 0x02 instead. The actual backconnect proxy traffic uses 0x01.

  8. @da_667 Thatโ€™s a good question! By the looks of the TCP 1074 traffic the connect messages start with two or three null bytes, followed by a 16 bit length field in little endian byte order. The length is the number of characters in the string that follows. Then comes whatever string the C2 server provided after ip= in the c=connect command, followed by the client_id in reversed byte order.

    The #Socks5Systemz backconnect message format is something like this:
    [null bytes][length][ip string][client_id]

    There are also other message types, but they start with other values than 0x00. One example is when the C2 server sends the c=updips command, after which the client connects back to TCP 1074 and sends data starting with 0x02 instead. The actual backconnect proxy traffic uses 0x01.

  9. @da_667 Thatโ€™s a good question! By the looks of the TCP 1074 traffic the connect messages start with two or three null bytes, followed by a 16 bit length field in little endian byte order. The length is the number of characters in the string that follows. Then comes whatever string the C2 server provided after ip= in the c=connect command, followed by the client_id in reversed byte order.

    The #Socks5Systemz backconnect message format is something like this:
    [null bytes][length][ip string][client_id]

    There are also other message types, but they start with other values than 0x00. One example is when the C2 server sends the c=updips command, after which the client connects back to TCP 1074 and sends data starting with 0x02 instead. The actual backconnect proxy traffic uses 0x01.

  10. @da_667 Thatโ€™s a good question! By the looks of the TCP 1074 traffic the connect messages start with two or three null bytes, followed by a 16 bit length field in little endian byte order. The length is the number of characters in the string that follows. Then comes whatever string the C2 server provided after ip= in the c=connect command, followed by the client_id in reversed byte order.

    The #Socks5Systemz backconnect message format is something like this:
    [null bytes][length][ip string][client_id]

    There are also other message types, but they start with other values than 0x00. One example is when the C2 server sends the c=updips command, after which the client connects back to TCP 1074 and sends data starting with 0x02 instead. The actual backconnect proxy traffic uses 0x01.

  11. The exact same protocol, but without RC4 encryption, was also reverse engineered by Vitali Kremez (RIP ๐Ÿ’œ) in his โ€Letโ€™s Learn: Trickbot Socks5 Backconnect Module In Detailโ€ blog post from 2017.
    #TrickBot #TeamSpy #Socks5Systemz
    vk-intel.org/2017/11/21/lets-l

  12. The exact same protocol, but without RC4 encryption, was also reverse engineered by Vitali Kremez (RIP ๐Ÿ’œ) in his โ€Letโ€™s Learn: Trickbot Socks5 Backconnect Module In Detailโ€ blog post from 2017.
    #TrickBot #TeamSpy #Socks5Systemz
    vk-intel.org/2017/11/21/lets-l

  13. The exact same protocol, but without RC4 encryption, was also reverse engineered by Vitali Kremez (RIP ๐Ÿ’œ) in his โ€Letโ€™s Learn: Trickbot Socks5 Backconnect Module In Detailโ€ blog post from 2017.
    #TrickBot #TeamSpy #Socks5Systemz
    vk-intel.org/2017/11/21/lets-l

  14. The exact same protocol, but without RC4 encryption, was also reverse engineered by Vitali Kremez (RIP ๐Ÿ’œ) in his โ€Letโ€™s Learn: Trickbot Socks5 Backconnect Module In Detailโ€ blog post from 2017.
    #TrickBot #TeamSpy #Socks5Systemz
    vk-intel.org/2017/11/21/lets-l

  15. The exact same protocol, but without RC4 encryption, was also reverse engineered by Vitali Kremez (RIP ๐Ÿ’œ) in his โ€Letโ€™s Learn: Trickbot Socks5 Backconnect Module In Detailโ€ blog post from 2017.
    #TrickBot #TeamSpy #Socks5Systemz
    vk-intel.org/2017/11/21/lets-l

  16. The RC4 cipher is actually reset with every C2 message ๐Ÿคช๐Ÿคฃ This makes it possible to detect #Socks5Systemz bot checkins with a static signature that looks for GET requests that have a QueryString starting with c=94bf3661c794e3eb1ba4.

    Itโ€™s also possible to identify the C2 commands from the server without having to decrypt them. Hereโ€™s a translation table:

    • 94ee3b6dda83d3ec11fc3742 โžก๏ธ c=disconnect
    • 94ee3660c585 โžก๏ธ c=idle
    • 94ee2a74cd89ccf1 โžก๏ธ c=updips
    • 94ee3c6bc78ed9e10b โžก๏ธ c=connect
  17. The RC4 cipher is actually reset with every C2 message ๐Ÿคช๐Ÿคฃ This makes it possible to detect #Socks5Systemz bot checkins with a static signature that looks for GET requests that have a QueryString starting with c=94bf3661c794e3eb1ba4.

    Itโ€™s also possible to identify the C2 commands from the server without having to decrypt them. Hereโ€™s a translation table:

    • 94ee3b6dda83d3ec11fc3742 โžก๏ธ c=disconnect
    • 94ee3660c585 โžก๏ธ c=idle
    • 94ee2a74cd89ccf1 โžก๏ธ c=updips
    • 94ee3c6bc78ed9e10b โžก๏ธ c=connect
  18. The RC4 cipher is actually reset with every C2 message ๐Ÿคช๐Ÿคฃ This makes it possible to detect #Socks5Systemz bot checkins with a static signature that looks for GET requests that have a QueryString starting with c=94bf3661c794e3eb1ba4.

    Itโ€™s also possible to identify the C2 commands from the server without having to decrypt them. Hereโ€™s a translation table:

    • 94ee3b6dda83d3ec11fc3742 โžก๏ธ c=disconnect
    • 94ee3660c585 โžก๏ธ c=idle
    • 94ee2a74cd89ccf1 โžก๏ธ c=updips
    • 94ee3c6bc78ed9e10b โžก๏ธ c=connect
  19. The RC4 cipher is actually reset with every C2 message ๐Ÿคช๐Ÿคฃ This makes it possible to detect #Socks5Systemz bot checkins with a static signature that looks for GET requests that have a QueryString starting with c=94bf3661c794e3eb1ba4.

    Itโ€™s also possible to identify the C2 commands from the server without having to decrypt them. Hereโ€™s a translation table:

    • 94ee3b6dda83d3ec11fc3742 โžก๏ธ c=disconnect
    • 94ee3660c585 โžก๏ธ c=idle
    • 94ee2a74cd89ccf1 โžก๏ธ c=updips
    • 94ee3c6bc78ed9e10b โžก๏ธ c=connect
  20. The RC4 cipher is actually reset with every C2 message ๐Ÿคช๐Ÿคฃ This makes it possible to detect #Socks5Systemz bot checkins with a static signature that looks for GET requests that have a QueryString starting with c=94bf3661c794e3eb1ba4.

    Itโ€™s also possible to identify the C2 commands from the server without having to decrypt them. Hereโ€™s a translation table:

    • 94ee3b6dda83d3ec11fc3742 โžก๏ธ c=disconnect
    • 94ee3660c585 โžก๏ธ c=idle
    • 94ee2a74cd89ccf1 โžก๏ธ c=updips
    • 94ee3c6bc78ed9e10b โžก๏ธ c=connect
  21. Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey

    Bitsight has uncovered a proxy botnet delivered by PrivateLoader and Amadey, two loaders frequently employed by threat actors to distribute malware and build their botnets.

    Pulse ID: 65496ba01d87131cbc5a6484
    Pulse Link: otx.alienvault.com/pulse/65496
    Pulse Author: AlienVault
    Created: 2023-11-06 22:41:35

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #OTX #OpenThreatExchange #InfoSec #bot #CyberSecurity #malware #Socks5Systemz #proxy #Amadey #botnet #AlienVault

  22. The C2 protocol in BitSightโ€™s Unveiling Socks5Systemz seems to be identical to whatโ€™s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!

    They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.

    #Socks5Systemz #TeamSpy

  23. The C2 protocol in BitSightโ€™s Unveiling Socks5Systemz seems to be identical to whatโ€™s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!

    They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.

    #Socks5Systemz #TeamSpy

  24. The C2 protocol in BitSightโ€™s Unveiling Socks5Systemz seems to be identical to whatโ€™s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!

    They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.

    #Socks5Systemz #TeamSpy

  25. The C2 protocol in BitSightโ€™s Unveiling Socks5Systemz seems to be identical to whatโ€™s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!

    They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.

    #Socks5Systemz #TeamSpy

  26. The C2 protocol in BitSightโ€™s Unveiling Socks5Systemz seems to be identical to whatโ€™s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!

    They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.

    #Socks5Systemz #TeamSpy

  27. "๐Ÿšจ Rise of #SOCKS5Systemz: A New Proxy Menace ๐ŸŒ"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.๐Ÿค๐Ÿ’ป๐Ÿ”—

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware ๐Ÿ›ก๏ธ๐Ÿ”

  28. "๐Ÿšจ Rise of #SOCKS5Systemz: A New Proxy Menace ๐ŸŒ"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.๐Ÿค๐Ÿ’ป๐Ÿ”—

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware ๐Ÿ›ก๏ธ๐Ÿ”

  29. "๐Ÿšจ Rise of #SOCKS5Systemz: A New Proxy Menace ๐ŸŒ"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.๐Ÿค๐Ÿ’ป๐Ÿ”—

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware ๐Ÿ›ก๏ธ๐Ÿ”

  30. "๐Ÿšจ Rise of #SOCKS5Systemz: A New Proxy Menace ๐ŸŒ"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.๐Ÿค๐Ÿ’ป๐Ÿ”—

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware ๐Ÿ›ก๏ธ๐Ÿ”

  31. "๐Ÿšจ Rise of #SOCKS5Systemz: A New Proxy Menace ๐ŸŒ"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.๐Ÿค๐Ÿ’ป๐Ÿ”—

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware ๐Ÿ›ก๏ธ๐Ÿ”

  32. This malware infiltrates computers and transforms them into proxies for forwarding traffic, which can be used for malicious, illegal, or anonymous purposes.

    #Cybersecurity #Proxy #Malware #Botnet #Socks5Systemz

    cybersec84.wordpress.com/2023/

  33. This malware infiltrates computers and transforms them into proxies for forwarding traffic, which can be used for malicious, illegal, or anonymous purposes.

    #Cybersecurity #Proxy #Malware #Botnet #Socks5Systemz

    cybersec84.wordpress.com/2023/

  34. This malware infiltrates computers and transforms them into proxies for forwarding traffic, which can be used for malicious, illegal, or anonymous purposes.

    #Cybersecurity #Proxy #Malware #Botnet #Socks5Systemz

    cybersec84.wordpress.com/2023/

  35. This malware infiltrates computers and transforms them into proxies for forwarding traffic, which can be used for malicious, illegal, or anonymous purposes.

    #Cybersecurity #Proxy #Malware #Botnet #Socks5Systemz

    cybersec84.wordpress.com/2023/

  36. This malware infiltrates computers and transforms them into proxies for forwarding traffic, which can be used for malicious, illegal, or anonymous purposes.

    #Cybersecurity #Proxy #Malware #Botnet #Socks5Systemz

    cybersec84.wordpress.com/2023/