Unraveling the Web of Sock5Systemz: Amadey and PrivateLoader Malware Revealed

News + Malware + Botnet + Breach + Cyber security + Cybercrime Mjolnir Security todayNovember 5, 2023 182

share close

In the realm of cyber threats, two names have emerged in recent times that have been causing a stir in the cybersecurity community: Amadey and PrivateLoader. Both are associated with a sophisticated malware called “Sock5Systemz”. In this post, we delve deep into the mechanics of these malwares, their Tactics, Techniques, and Procedures (TTPs), and how Mjolnir Security has been proactively tracking their spread.

Amadey: The Silent Observer

Amadey is a simple yet effective Trojan that has been primarily used for reconnaissance purposes. The malware provides the attacker with basic information about the infected machine, potentially paving the way for more sophisticated attacks.

TTPs of Amadey:

  1. Delivery & Execution: Amadey typically reaches its victims through spear-phishing campaigns, utilizing malicious attachments or compromised websites.
  2. Information Stealing: Once inside, it collects information such as OS version, installed software, and user privileges.
  3. Command & Control (C2) Communication: Amadey establishes communication with its C2 server, sending the collected information and awaiting further commands.

PrivateLoader: The Persistent Threat

PrivateLoader serves as a malware downloader and is known for its persistence mechanisms. Its primary function is to download and execute additional payloads.

TTPs of PrivateLoader:

  1. Delivery: Like Amadey, PrivateLoader also relies on spear-phishing and malicious attachments.
  2. Persistence: It employs multiple techniques to ensure its survival on the victim’s system, such as registry modifications and scheduled tasks.
  3. Payload Delivery: Once operational, it contacts its C2 server to fetch and execute the next-stage payload, which in many cases has been the Sock5Systemz malware.

Sock5Systemz: The Nexus

Sock5Systemz acts as the final payload, often delivered by PrivateLoader. It sets up a SOCKS5 proxy on the infected machine, allowing attackers to tunnel their traffic through the victim’s computer, thereby masking their real IP addresses and evading detection.

Mjolnir Security’s Investigation

Our team at Mjolnir Security has been actively tracking the spread of Sock5Systemz and its association with Amadey and PrivateLoader.

1. C2 Server Mapping: Our first graphic showcases the global spread of the C2 servers associated with these malwares. The map illustrates the wide-reaching grasp of the threat actors, with C2 nodes spread across continents. The labels list the organization name found in the whois records of the C2 IP/Domain.

2. Rise in C2 Communications: The second graphic displays a histogram highlighting the daily count of C2 connections over the past year. A noticeable surge can be seen in recent months, indicating an escalation in the malware’s activity.

Protection with Mjolnir Security

While the threat landscape is continuously evolving, our dedication to safeguarding our clients remains steadfast. Here’s how Mjolnir Security can protect against threats like Sock5Systemz:

  1. Advanced Threat Intelligence: Our team continuously monitors and analyzes global threat trends, ensuring our clients are always a step ahead.
  2. Endpoint Protection: Utilizing state-of-the-art tools, we ensure that malicious activities are detected and mitigated in real-time.
  3. Incident Response: In the unlikely event of a breach, our rapid response team is on standby 24/7 to neutralize threats and restore operations.
  4. Awareness & Training: We believe that a well-informed team is the first line of defense. Our training sessions empower organizations to recognize and thwart phishing attempts and other threat vectors.

In Conclusion

The alliance of Amadey, PrivateLoader, and Sock5Systemz represents a potent threat to organizations worldwide. However, with vigilance, advanced protection tools, and a proactive approach, businesses can safeguard themselves from such threats. At Mjolnir Security, we stand at the forefront of this battle, ensuring that our clients remain protected and informed.

Written by: Mjolnir Security

Tagged as: , , , .

Previous post

todaySeptember 28, 2023

  • 132

Cyber security Mjolnir Security

Virtual CISO (vCISO)

Mjolnir Security recognizes the distinct security requirements of each organization. Our vCISO solutions are designed to align with individual organizational objectives. Engaging with Mjolnir for vCISO services provides: Use Cases: ...