The proxy network, known as Lem Proxy, is powered by malware known as SystemBC, which provides users with around 80% of the botnet, according to a new survey from the Black Lotus Labs team at Lumen Technologies.
“Rem Proxy is a considerable network, selling a pool of 20,000 Mikrotik routers and a variety of open proxies that are freely available online,” said a report shared with Hacker News. “The service is a favorite for several actors, including the actor behind Transferloader, which is linked to the Morpheus Ransomware group.”
SystemBC is C-based malware that turns an infected computer into a Socks5 proxy, allowing infected hosts to communicate with command and control (C2) servers and download additional payloads. This way, first documented by ProofPoint in 2019, can be targeted to both Windows and Linux systems.
In a report earlier this January, Any.Run revealed that the Linux variant of the SystemBC proxy implant may be designed for internal corporate services and is primarily used to target corporate networks, cloud servers and IoT devices.
Usually, as with proxy solutions, users on the network reach out to SystemBC C2S on advanced ports, then route the user to one of the victims before reaching their destination.
According to Lumen, SystemBC BOTNET consists of over 80 C2 servers and an average of 1,500 victims per day, nearly 80% of which have been damaged by virtual private server (VPS) systems from several large commercial providers. Interestingly, 300 of these victims are part of another botnet called Gobruteforcer (aka Gobrut).
Of these, nearly 40% of compromises have a “very long average” infection lifespan, lasting for 31 days. Worse, the majority of victimized servers are known to be susceptible to some known security flaws. Each victim has an average of 20 unpatched CVEs and at least one important CVE, with one of the identified VPS servers in the city of Atlanta, USA vulnerable to over 160 unpaid CVEs.
“The victims are now proxies that allow for large amounts of malicious traffic for use by numerous crime threat groups,” the company said. “By operating a VPS system instead of a device in a residential IP space, SystemBC can provide a proxy that provides large volumes for a long time, as is typical in a malware-based proxy network.”
In addition to REM proxying, some of SystemBC’s other customers include at least two different Russian-based proxy services, one Vietnamese proxy service called VN5Socks (aka ShopSocks5), and a Russian web scraping service.
The key to the functionality of the malware is the IP address 104.250.164.[.]214 appears to be the source of attacks not only to host artifacts, but also to recruit potential victims. When a new victim is seduced, a shell script is dropped onto the machine, and the malware is then delivered.
Botnets work with little stealth consideration, and the main goal is to expand the volume to hold as many devices as possible into the botnet. One of the biggest use cases for illegal networks comes from threat actors behind SystemBC itself.
The ultimate goal is likely to sell harvested qualifications to other criminals on the Underground Forum, then weaponize them to inject malicious code into the problematic site for their next campaign.
“SystemBC has demonstrated sustainable activity and operational resilience over the years, establishing it as a sustainable vector within a cyber threat landscape,” Lumen said. “The platform originally used by threat actors to enable ransomware campaigns has evolved to provide custom botnet assembly and sales.”
“Their model offers considerable advantages, allowing widespread reconnaissance, spam spreading, and related activities to carry out, allowing attackers to reserve more selective proxy resources for targeted attacks notified by previous intelligence collections.”
Source link
