Under Attack: How Threat Actors are Exploiting SOCKS Proxies

September 3, 2020
| |
4 min read

From the basic building blocks of the internet to cryptocurrency mining on a supercomputer, SOCKS sits at the core of computing. A SOCKS proxy can be used to improve network security in an enterprise, but can also be exploited by cybercriminals for nefarious reasons. Take a look at how SOCKS proxies have been manipulated recently by threat actors.

What is a SOCKS Proxy?

SOCKS, which stands for Socket Secure, is an internet protocol that enables the exchange of packets between a client and a server through a proxy server.

According to the Internet Engineering Task Force, the protocol is “designed to provide a framework for client-server applications in both the TCP (transmission control protocol) and UDP (user datagram protocol) domains to conveniently and securely use the services of a network firewall.”

A proxy server functions as an intermediary for requests from a client in an internal network seeking services or resources from the internet. The proxy server has its own public IP address.

There are a number of use cases for a proxy server: to improve network security, carry out actions anonymously, balance network traffic, control employee internet usage and provide faster network speeds by compressing traffic, caching files and stripping ads from websites.

There are currently two versions of SOCKS: SOCKS4 and SOCKS5. SOCKS5 is the current version of the protocol. It supports a variety of authentication methods, as well as User Datagram Protocol (UDP) proxies.

There are several benefits to using the latest version of SOCKS for a proxy server. First, it enables an administrator to access backend services remotely within a cluster hosted in the cloud behind a firewall, without exposing the backend service ports. Second, it does not require anything special as long as there is secure shell (SSH) access to either the Edge node or gateway. Third, a SOCKS5 proxy can route test TCP (TTCP) and UDP traffic through SSH tunneling. Therefore, each service does not require a unique proxy to send requests. And finally, it does not rewrite data packets, so it makes fewer errors and improves performance.

SOCKS5 Proxies Used in Supercomputer Attacks

Unfortunately, a SOCKS proxy can be abused by attackers to carry out various types of nefarious activities.

A recent example involves cryptomining attacks on academic supercomputers used to conduct advanced research. The attackers were able to connect to a SOCKS5 proxy host running a microSOCKS instance on a high port. They did this by exploiting an SSH connection from the anonymous Tor network, according to research by the European Grid Infrastructure Foundation’s computer security incident response team. MicroSOCKS is a multithreaded, small SOCKS5 server.

Normally, researchers use the SSH connection to log in to the supercomputers remotely. The attackers were able to steal the SSH credentials and move between supercomputers using the stolen SSH credentials. The attackers then used the supercomputers to mine cryptocurrency.

The academic institutions running the supercomputers had to shut them down to clear the cryptomining malware, disrupting valuable academic research.

SOCKS5 Exploited by Dark Nexus Botnet

In another recent attack, the Dark Nexus internet of things (IoT) botnet was able to enlist a SOCKS proxy in a scheme offering distributed denial-of-service (DDoS) attacks for hire services. 

The Dark Nexus attackers infect IoT devices and then run a SOCKS5 proxy on a randomly chosen port that connects with the command and control server as part of the registration, based on a Bitdefender analysis.

Bitdefender researchers believe the attackers are selling access to the SOCKS5 proxies on an underground forum. However, they do not have direct evidence to support this belief.

In addition, the Gwmndy botnet abused SOCKS proxy servers. Gwmndy attackers targeted Fiberhome routers and added 200 routers per day to their botnet, stopping after reaching that number, according to 360 Netlab researchers.

Instead of using the botnet for DDoS attacks, cryptojacking, sending spam or stealing data, the Gwmndy botnet operators appeared to use the routers for SSH tunneling proxy nodes and creating a SOCKS5 proxy service locally.

Ransomware Attackers Abuse SOCKS Proxies

Ransomware attackers also use SOCKS proxies. The QNAPCrypt ransomware, which focused on infecting network-attached storage Linux devices, exploited authentication methods used by companies to establish connections through a SOCKS5 proxy, according to Intezer researchers.

Central to the multistage QNAPCrypt ransomware attack is a SOCKS5 proxy. First, the ransomware connects to a SOCKS5 proxy. The proxy requests the victim’s configuration keys to retrieve the ransomware client from an Onion domain. It retrieves an RSA public key, unique Bitcoin wallet and ransom note from the Onion domain. After going through the SOCKS5 proxy again, the ransomware proceeds to encrypt the victim’s systems using the retrieved keys.

While most ransomware attacks target Windows systems, QNAPCrypt joins a growing list of ransomware going after Linux-based systems.

Cloud Snooper and SOCKS Proxies

Cloud Snooper malware uses a SOCKS proxy to bypass firewalls in cloud infrastructure. The malware, a backdoor trojan, can be executed as a command-line tool and as a daemon.

Cloud Snooper opens HTTP or domain name system (DNS) services on an infected system and enables traffic tunneling, operating both as a reverse SOCKS5 proxy server and client, explains SophosLabs researchers. The SOCKS5 proxy server used by the malware is based on the open-source sSOCKS proxy implementation.

In addition, the fileless Nodersok malware exploited a SOCKS proxy to compromise thousands of PCs last year. The malware first installs an HTML application (HTA) on the targeted computer, which runs the HTA files and exploits Excel, JavaScript and PowerShell scripts.

The malware then abuses Node.js and WinDivert to start a SOCKS4 proxy on infected computers. This turns them into proxies for sending malicious traffic. Next, the malware connects to the attackers’ command and control server. The server uses the SOCKS4 protocol to send an HTTP request to the client. The client proxies the request to the website and returns the response and the HTML page to the server.

Using SOCKS proxy and other stealth components enables the malware to “fly under the radar” for a while. Therefore, it is best to use strong authentication to lessen the risk that SOCKS proxies are hijacked by attackers.

Fred Donovan
Editor, Inside Security | Writer | Content Creator and Marketer

Fred is founder and editor-in-chief of IT Security Writer, a content creation firm specializing in IT security and cybersecurity. He has written and edited f...
read more