SocksEscort – CyberSecurity Confabulation

Who and What is Behind the Malware Proxy Service SocksEscort?

Posted 2 years ago by BrianKrebs

Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online.

Image: Lumen’s Black Lotus Labs.

In a report released July 12, researchers at Lumen’s Black Lotus Labs called the AVrecon botnet “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history,” and a crime machine that has largely evaded public attention since first being spotted in mid-2021.

“The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying and ad fraud,” the Lumen researchers wrote.

Malware-based anonymity networks are a major source of unwanted and malicious web traffic directed at online retailers, Internet service providers (ISPs), social networks, email providers and financial institutions. And a great many of these “proxy” networks are marketed primarily to cybercriminals seeking to anonymize their traffic by routing it through an infected PC, router or mobile device.

Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source. Proxy services also let users appear to be getting online from nearly anywhere in the world, which is useful if you’re a cybercriminal who is trying to impersonate someone from a specific place.

Spur.us, a startup that tracks proxy services, told KrebsOnSecurity that the Internet addresses Lumen tagged as the AVrecon botnet’s “Command and Control” (C2) servers all tie back to a long-running proxy service called SocksEscort.

SocksEscort[.]com, is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

Spur tracks SocksEscort as a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay. Usually, these users have no idea their systems are compromised.

Spur says the SocksEscort proxy service requires customers to install a Windows based application in order to access a pool of more than 10,000 hacked devices worldwide.

“We created a fingerprint to identify the call-back infrastructure for SocksEscort proxies,” Spur co-founder Riley Kilmer said. “Looking at network telemetry, we were able to confirm that we saw victims talking back to it on various ports.”

According to Kilmer, AVrecon is the malware that gives SocksEscort its proxies.

“When Lumen released their report and IOCs [indicators of compromise], we queried our system for which proxy service call-back infrastructure overlapped with their IOCs,” Kilmer continued. “The second stage C2s they identified were the same as the IPs we labeled for SocksEscort.”

Lumen’s research team said the purpose of AVrecon appears to be stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services.

“This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw,” Lumen’s Black Lotus researchers wrote.

Preserving bandwidth for both customers and victims was a primary concern for SocksEscort in July 2022, when 911S5 — at the time the world’s largest known malware proxy network — got hacked and imploded just days after being exposed in a story here. Kilmer said after 911’s demise, SocksEscort closed its registration for several months to prevent an influx of new users from swamping the service.

Danny Adamitis, principal information security researcher at Lumen and co-author of the report on AVrecon, confirmed Kilmer’s findings, saying the C2 data matched up with what Spur was seeing for SocksEscort dating back to September 2022.

Adamitis said that on July 13 — the day after Lumen published research on AVrecon and started blocking any traffic to the malware’s control servers — the people responsible for maintaining the botnet reacted quickly to transition infected systems over to a new command and control infrastructure.

“They were clearly reacting and trying to maintain control over components of the botnet,” Adamitis said. “Probably, they wanted to keep that revenue stream going.”

Frustratingly, Lumen was not able to determine how the SOHO devices were being infected with AVrecon. Some possible avenues of infection include exploiting weak or default administrative credentials on routers, and outdated, insecure firmware that has known, exploitable security vulnerabilities.

WHO’S BEHIND SOCKSESCORT?

KrebsOnSecurity briefly visited SocksEscort last year and promised a follow-up on the history and possible identity of its proprietors. A review of the earliest posts about this service on Russian cybercrime forums suggests the 12-year-old malware proxy network is tied to a Moldovan company that also offers VPN software on the Apple Store and elsewhere.

SocksEscort began in 2009 as “super-socks[.]com,” a Russian-language service that sold access to thousands of compromised PCs that could be used to proxy traffic. Someone who picked the nicknames “SSC” and “super-socks” and email address “michvatt@gmail.com” registered on multiple cybercrime forums and began promoting the proxy service.

According to DomainTools.com, the apparently related email address “michdomain@gmail.com” was used to register SocksEscort[.]com, super-socks[.]com, and a few other proxy-related domains, including ip-score[.]com, segate[.]org seproxysoft[.]com, and vipssc[.]us. Cached versions of both super-socks[.]com and vipssc[.]us show these sites sold the same proxy service, and both displayed the letters “SSC” prominently at the top of their homepages.

Image: Archive.org. Page translation from Russian via Google Translate.

According to cyber intelligence firm Intel 471, the very first “SSC” identity registered on the cybercrime forums happened in 2009 at the Russian language hacker community Antichat, where SSC registered using the email address adriman@gmail.com. SSC asked fellow forum members for help in testing the security of a website they claimed was theirs: myiptest[.]com, which promised to tell visitors whether their proxy address was included on any security or anti-spam block lists.

DomainTools says myiptest[.]com was registered in 2008 to an Adrian Crismaru from Chisinau, Moldova. Myiptest[.]com is no longer responding, but a cached copy of it from Archive.org shows that for about four years it included in its HTML source a Google Analytics code of US-2665744, which was also present on more than a dozen other websites.

Most of the sites that once bore that Google tracking code are no longer online, but nearly all of them centered around services that were similar to myiptest[.]com, such as abuseipdb[.]com, bestiptest[.]com, checkdnslbl[.]com, dnsbltools[.]com and dnsblmonitor[.]com.

Each of these services were designed to help visitors quickly determine whether the Internet address they were visiting the site from was listed by any security firms as spammy, malicious or phishous. In other words, these services were designed so that proxy service users could easily tell if their rented Internet address was still safe to use for online fraud.

Another domain with the Google Analytics code US-2665744 was sscompany[.]net. An archived copy of the site says SSC stands for “Server Support Company,” which advertised outsourced solutions for technical support and server administration. The company was located in Chisinau, Moldova and owned by Adrian Crismaru.

Leaked copies of the hacked Antichat forum indicate the SSC identity tied to adriman@gmail.com registered on the forum using the IP address 71.229.207.214. That same IP was used to register the nickname “Deem3n®,” a prolific poster on Antichat between 2005 and 2009 who served as a moderator on the forum.

There was a Deem3n® user on the webmaster forum Searchengines.guru whose signature in their posts says they run a popular community catering to programmers in Moldova called sysadmin[.]md, and that they were a systems administrator for sscompany[.]net.

That same Google Analytics code is also now present on the homepages of wiremo[.]co and a VPN provider called HideIPVPN[.]com.

Wiremo sells software and services to help website owners better manage their customer reviews. Wiremo’s Contact Us page lists a “Server Management LLC” in Wilmington, DE as the parent company. Records from the Delaware Secretary of State indicate Crismaru is CEO of this company.

Server Management LLC is currently listed in Apple’s App Store as the owner of a “free” VPN app called HideIPVPN. The contact information on Crismaru’s LinkedIn page says his company websites include myiptest[.]com, sscompany[.]net, and hideipvpn[.]com.

“The best way to secure the transmissions of your mobile device is VPN,” reads HideIPVPN’s description on the Apple Store. “Now, we provide you with an even easier way to connect to our VPN servers. We will hide your IP address, encrypt all your traffic, secure all your sensitive information (passwords, mail credit card details, etc.) form [sic] hackers on public networks.”

Mr. Crismaru did not respond to multiple requests for comment. When asked about the company’s apparent connection to SocksEscort, Wiremo responded, “We do not control this domain and no one from our team is connected to this domain.” Wiremo did not respond when presented with the findings in this report.

No SOCKS, No Shoes, No Malware Proxy Services!

Posted 3 years ago by BrianKrebs

With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”

NEW SOCKS, SAME OLD SHOES

Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:

“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”

According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.

Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.

Image: Spur.us

SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.

The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.

That story also showed once again that the people who are building and leasing these botnets are surprisingly easy to identify in real life, particularly given that they operate malware-based anonymity services that enable a great deal of cybercrime activity.

Such was the case again with SocksEscort. Hilariously, the common link that exposed the real-life identities of the people running this SOCKS service was that they all worked for the same online shoe store.

ANGRY CODERS

SocksEscort[.]com was originally registered to the email address “michdomain@gmail.com,” which according to DomainTools.com was used to register a handful of related domains, including its previous incarnation — super-socks[.]biz. Cached versions of the site show that in 2010 the software which powers the network was produced with a copyright of “Escort Software.”

Super-socks[.]biz came online around the same time as another domain registered to that “michdomain” email: ip-score[.]com, which soon became shorthand on several cybercrime forums for a service that could tell visitors whether their Internet address — or more precisely, the proxy they were using — was flagged by any security software or services as compromised or malicious.

IP-score offered a revenue sharing program for websites that chose to embed its IP-scoring code, and the copyright on that userbar program was “Angry Coders.”

A review of the Internet addresses historically used by Super-socks[.]biz and SocksEscort[.]com reveals that these domains at various times over the years shared an Internet address with a small of other domains, including angrycoders[.]net, iskusnyh[.]pro, and kc-shoes[.]ru.

Cached copies of angrycoders[.]net from the Wayback Machine don’t reveal much about this particular group of irate programmers, but a search on the domain brings up several now-dormant listings for an Angry Coders based in Omsk, a large city in the Siberian region of Russia. The domain was registered in 2010 to an Oleg Iskushnykh from Omsk, who used the email address iboss32@ro.ru.

According to Constella Intelligence [currently an advertiser on KrebsOnSecurity], Oleg used the same password from his iboss32@ro.ru account for a slew of other “iboss” themed email addresses, one of which is tied to a LinkedIn profile for an Oleg Iskhusnyh, who describes himself as a senior web developer living in Nur-Sultan, Kazakhstan.

Iskusnyh’s Github profile shows he has contributed code to a number of online payment-related technologies and services, including Ingenico ePayments, Swedbank WooCommerce, Mondido Payments, and Reepay.

DON’T JUDGE A MAN UNTIL YOU’VE WALKED A MILE IN HIS SOCKS

The various “iboss” email accounts appear to have been shared by multiple parties. A search in Constella’s database of breached entities on “iboss32@gmail.com” reveals someone using the name Oleg Iskusnyh registered an online profile using a phone number in Bronx, New York. Pivoting on that phone number — 17187154415 — reveals a profile exposed in the breach at sales intelligence firm Apollo with the first name “Dmitry” who used the email address chepurko87@gmail.com.

That email is connected to a LinkedIn profile for a Dmitry Chepurko in Pavlodar, Kazakhstan. Chepurko’s resume says he’s a full stack developer, who most recently worked in the Omsk offices of a German shoe company called KC Shoes (the aforementioned kc-shoes.ru]. Chepurko’s resume says before that he worked on his own for a decade using the freelancing platform Upwork.

The Upwork profile listed in Chepurko’s LinkedIn C.V. is no longer active. But that same now-defunct Upwork account link is still listed as the profile of a “Dmitry C.” in an UpWork profile page for the Angry Coders team in Omsk, Russia.

The UpWork profile page for the Angry Coders programming team from Omsk, RU.

Who is the “Alexander S.” listed above under the “Agency members” heading in the Upwork profile for Angry Coders? Historical DNS records from Farsight Security show angrycoders.net formerly included the subdomain “smollalex.angrycoders[.]net”.

A simple Internet search on “kc-shoes” reveals a Github account for a user from Omsk with the first name Alexander and the account name “Smollalex.” Alexander’s Github account indicates he has contributed code to the kc-shoes website as well.

Constella’s service shows that “Smollalex” was a favorite handle chosen by an Alexandr Smolyaninov from Omsk. The Smollalex Github account associates this individual with a company in Omsk that sells parts for oil and gas pipelines.

That shoes are apparently the common link among the Angry Coders responsible for SocksEscort is doubly amusing because — at least according to the posts on some cybercrime forums — one big reason people turn to these proxy services is for “shoe botting” or “sneaker bots,” which refers to the use of automated bot programs and services that aid in the rapid acquisition of limited-release, highly-sought-after designer athletic shoes that can then be resold at huge markups on secondary markets.

It’s not clear if the Angry Coders team members remain affiliated with SocksEscort; none of them responded to requests for comment. There were certain connections made clear throughout the research mentioned above that the Angry Coders outsourced much of the promotion and support of their proxy service to programmers based in India and Indonesia, where apparently a large chunk of its customers currently reside.