Ancestors

Written by abuse.ch :verified: on 2024-12-05 at 10:41

On the 1st of December, the notorious Socks5Systemz payload server hosted at AS57678 (Cat Technologies ๐Ÿ‡ญ๐Ÿ‡ฐ) that is already active for several months started to serve a new version of Socks5Systemz โคต๏ธ

๐ŸŒ https://urlhaus.abuse.ch/url/3189430/

This is the first major change since 2023 in Socks5Systemz and includes:

๐Ÿ”‘ New RC4 key used during C2 communication: hi_few5i6ab&7#d3

๐Ÿ‘‹ Direct IP communication through HTTP(s) for botnet command and control instead of the usage of a DGA and a custom DNS server

๐Ÿ”™ Backconnect TCP port changed from 2023 to 2024

Current botnet C2 servers:

188.119.66.185:443 CHANGWAY ๐Ÿ‡ญ๐Ÿ‡ฐ

45.155.249.212:443 RACKPLACE ๐Ÿ‡ฉ๐Ÿ‡ช

91.211.249.30:443 PODAON ๐Ÿ‡ฑ๐Ÿ‡ป

Malware sample:๐Ÿ“„ https://bazaar.abuse.ch/sample/528334ed9e4567a89f3cf4e4700946056499624dcfdd3b32a7800abc08eff9fe/

Socks5Systemz IOCs:๐ŸฆŠย 

https://threatfox.abuse.ch/browse/malware/win.socks5_systemz/

=> View attached media | View attached media

=> More informations about this toot | More toots from abuse_ch@ioc.exchange

Written by ๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒ on 2024-12-05 at 15:42

@abuse_ch Thanks for the heads up! Reported a new Socks5Systemz backconnect server on 31.214.157.206:2024 to ThreatFox.

https://threatfox.abuse.ch/ioc/1352594/

=> More informations about this toot | More toots from netresec@infosec.exchange

Toot

Written by abuse.ch :verified: on 2024-12-05 at 16:11

@netresec rockstar! Thank you so nich ๐Ÿ™๐Ÿผ

=> More informations about this toot | More toots from abuse_ch@ioc.exchange

Descendants

Proxy Information
Original URL
gemini://mastogem.picasoft.net/thread/113601090676509123
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
263.243982 milliseconds
Gemini-to-HTML Time
0.953839 milliseconds

This content has been proxied by September (3851b).