PROXY.AM Powered by Socks5Systemz Botnet
- Socks5Systemz, identified last year during large-scale distribution campaigns involving Privateloader, Smokeloader, and Amadey, has actually been active since 2013. This malware was sold as a standalone product or integrated into other malware as a SOCKS5 proxy module. Such malware included, at least, Andromeda, Smokeloader and Trickbot. In recent months, Bitsight TRACE investigated a Socks5Systemz botnet with 250,000 compromised systems at its peak, geographically dispersed across almost every country in the world. * The proxy service PROXY.AM, active since 2016, exploits the botnet to provide its users with proxy exit nodes and enable them to pursue broader criminal objectives.
Botnet 7777: Are You Betting on a Compromised Router?
Discover the latest insights on the Quad7 / 7777 botnet in our detailed analysis. Learn about the expansion of this resilient threat, its targeting patterns, and proactive measures to defend against compromised routers. Stay informed with our up-to-date findings and recommendations.
Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day
- The Akamai Security Intelligence and Response Team (SIRT) has observed a botnet campaign that is abusing several previously exploited vulnerabilities, as well as a zero-day vulnerability discovered by the SIRT. CVE-2024-7029 (discovered by Aline Eliovich) is a command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE). Once injected, the botnet spreads a Mirai variant with string names that reference the COVID-19 virus that has been seen since at least 2020. * We have included a list of indicators of compromise (IOCs) to assist in defense against this threat.
Solving the 7777 Botnet enigma: A cybersecurity quest
- Sekoia.io investigated the mysterious 7777 botnet (aka. Quad7 botnet), published by the independent researcher Gi7w0rm inside the “The curious case of the 7777 botnet” blogpost. This investigation allowed us to intercept network communications and malware deployed on a TP-Link router compromised by the Quad7 botnet in France. To our understanding, the Quad7 botnet operators leverage compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts without any specific targeting. Therefore, we link the Quad7 botnet activity to possible long term business email compromise (BEC) cybercriminal activity rather than an APT threat actor. However, certain mysteries remain regarding the exploits used to compromise the routers, the geographical distribution of the botnet and the attribution of this activity cluster to a specific threat actor. * The insecure architecture of this botnet led us to think that it can be hijacked by other threat actors to install their own implants on the compromised TP-Link routers by using the Quad7 botnet accesses.
Operators of 911 S5 residential proxy service subjected to US sanctions
Chinese nationals Yunhe Wang, Jingping Liu, and Yanni Zheng have been sanctioned by the U.S. Treasury Department for operating the residential proxy service 911 S5, which was a botnet comprised of over 19 million residential IP addresses that had been used to support various cybercrime groups' COVID-19 relief scams and bomb threats, Ars Technica reports.
Office of Public Affairs | 911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation | United States Department of Justice
A court-authorized international law enforcement operation led by the U.S. Justice Department disrupted a botnet used to commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.
