Linux.proxym Zombie Network again launched a crazy attack, infected with thousands of devices __linux

Docker Web security experts have discovered a new IoT zombie network that uses Linux.proxym malware and is trying to attack the site.

Linux.proxym is a Linux malware that creates a proxy network on infected devices through a SOCKS proxy server that forwards malicious traffic and masks its true origins.

According to Dr. Web, Linux.proxym was first discovered in February this year, its activities peaked in late May, and the number of devices infecting Linux.proxym in July has reached 10,000 units.

Linux.proxym can be compatible with a wide range of architectures, including x86, MIPS, Mipsel, PowerPC, ARM, SuperH, Motorola 68000, and SPARC.

Linux Proxym is a malicious program on the Linux platform that launches SOCKS proxy servers on infected devices. Cyber criminals can use it to initiate anonymous sabotage.

This malware is known to run in architectures such as x86, MIPS, Mipsel, PowerPC, ARM, SuperH, Motorola 68000, and SPARC. This means that Linux Proxym can infect almost any Linux device, including routers, set-top boxes, and other similar devices.

This September, the botnet, which was built using Linux.proxym, was originally used to send junk mail. It is estimated that each infected device sends nearly 400 e-mails a day.

Later, attackers used botnets to send phishing messages, and new messages were sent in the name of "DocuSign", a company that provided electronic signature technology and digital transaction management services to facilitate the exchange of electronic contracts and signature documents.

The message contains a link to a forged docusign Web site login page that a cyber criminal uses to deceive victims into entering their passwords. The victim will then be redirected to the real docusign login page.

By December, attackers began using Linux.proxym botnet attack sites, including SQL injection, XSS (Cross-site scripting), and local file inclusion (LFI). The sites that are attacked include game servers, forums and other theme resource sites, and even combat ethnic sites (the original fighting ethnic website is listed separately = =).

On December 7, Dr web security researchers observed that the number of attacks launched by the Linux.proxym botnet has reached 20,000 times. About one months ago, the botnet launched a daily attack of nearly 40,000 times.

"Although Linux.proxym has only one feature-as a proxy server. However, cyber criminals are constantly looking for new ways to use them, using them for illegal purposes and showing growing interest in IoT equipment. ”

Source: Securityaffairs

This article is compiled by Ljcnaix translation Group