Laptop with SOCKS proxy screen

How Cybercriminals Exploit SOCKS Proxies

Regarded as the de facto standard for circuit-level gateways, SOCKS is vital not only for internet connection but for computing itself. It is an internet protocol responsible for exchanging network packets between a server and client through a proxy server. Its use ranges from simple day-to-day tasks with computers to cryptocurrency mining as well as supercomputing.

SOCKS stands for Socket Secure. Some refer to it as Secure Over Credential-Based Kerberos Services. It has the word secure plastered over it, but it seems this security is getting tested by recent cyber attacks. An article featured on News Break AFP highlights the ways threat actors exploit SOCKS proxies.

SOCKS proxies

Sometimes mistaken as similar to virtual private networks, SOCKS proxies are capable of providing a great degree of anonymity when connecting to the internet. When users employ a SOCKS proxy, their traffic is routed through a third-party server via the transmission control protocol (TCP), an internet standard that operates with internet protocol (IP) designed to ensure the successful data pack exchanges.

The most notable result of using SOCKS is the assignment of a new IP address. This IP change prevents web hosts from pinpointing the exact location of a user that connects to them. As such, SOCKS proxies are excellent for bypassing regional filters but not necessarily the prevention of snooping where stronger encryption is required.

Encryption is not a function of SOCKS, but it can offer some ways for authentication. A typical use of SOCKS starts with the client sending a connection request to a server together with a list of supported authentication methods. The server then evaluates which method is most suitable. If none is found, the server transmits a failure response. If the connection is accepted, the server responds affirmatively and allows information packets to exchange between the client and server.

SOCKS proxy exploitation

The security of SOCKS proxies has become a concern for security experts in light of the number of cyber attacks that target them. While it is not unexpected for SOCKS to be subjected to nefarious exploitation, it is still a serious threat for many internet users.

Accessing supercomputers through SSH connection

Even supercomputers are not safe. In May this year, several of Europe’s supercomputers were reportedly hijacked to perform cryptocurrency mining. These pan-European machines, operated to undertake advanced research, were forced to shut down in response to attempts to control them. During the same month, Germany also reported attacks that shut down five of their supercomputers.

The cyber attackers managed to connect to a SOCKS5 proxy host that was running a microSOCKS instance on a high port. According to the European Grid Infrastructure, this was achieved by using an SSH connection from the Tor network. The researchers manning the supercomputers use SSH connection to log in remotely.

Exploiting weak authentication methods or lack thereof to spread ransomware

The QNAPCrypt ransomware identified last year continues to find victims at present. This multi-stage malware targets SOCKS5 proxies by exploiting the lack or weaknesses of authentication methods employed by companies. Unlike most other ransomware that target Windows systems, QNAPCrypt focuses on network-attached storage Linux devices.

The attack starts with the ransomware connecting to a SOCKS5 proxy. It then proceeds to request the target’s user’s configuration keys, so the ransomware client software can be downloaded from a domain in the Onion network. Once successful, the malware retrieves an RSA public key, Bitcoin wallet, and a ransom note. In the next SOCKS5 proxy connection, the encryption of files begins.

DDoS for hire providers exploiting SOCKS5 proxies

As mentioned, SOCKS has a wide range of uses. Unfortunately, DDoS attacks can be one of them. The Dark Nexus IoT botnet demonstrates this possibility.

To commence, The Dark Nexus attackers infect IoT devices with their malware. The infected devices then establish connections with the attack “command center” server using SOCKS5 proxies with randomly selected ports. The IoT devices are subsequently registered and become part of the DDoS army that can be used whenever there is an order for an attack.

Bypassing firewalls with SOCKS proxies

Reported in late February this year, the backdoor trojan Cloud Snooper was found to be bypassing firewall security measures. As the name suggests, this malware targets the cloud infrastructure. It can be run both as a command-line tool as well as a daemon.

Cloud Snooper achieves its firewall bypassing feat by opening DNS services and enabling traffic tunneling. It acts as a reverse SOCKS5 proxy server and client at the same time taking advantage of the open source sSOCKS proxy implementation.

This scheme is comparable to the Nodersok malware discovered last year. This fileless malware was introduced to devices as an HTML application, which then executed HTA files that exploit PowerShell, JavaScript, and Excel files. Nodersok then initiates SOCKS4 proxy connections that turn the infected devices into proxies that send malicious traffic.

Exploiting SOCKS for commercial purposes

Another botnet identified as a SOCKS proxy abuser is Gwmndy, which targeted Fiberhome routers. According to researchers, it managed to add up to 200 routers daily to its network. Its scheme is similar to The Dark Nexus botnet’s. However, instead of using the infected devices for DDoS attacks, it uses them to establish SSH tunneling proxy nodes that make it possible to generate a SOCKS5 proxy service locally. These local proxy services can then be sold as “free unlimited” VPN or non-network unlimited internet connection services.

The solution

Cyber attackers are criminally creative and resourceful. They will always find ways to abuse internet protocols and bypass security measures. To address the SOCKS exploitation problem, the best everyone can do is to regularly update their security tools and operating systems as well as to use powerful authentication systems to reduce the chances of successful SOCKS hijacking attempts.


Staff Writer at CPO Magazine