This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

ProxyM botnet

A botnet made up of IoT devices is helping hackers mask attacks on web applications, acting as a relay point for SQL injection (SQLi), cross-site scripting (XSS), and local file inclusion (LFI) attempts.

The botnet is a veteran of the botnet scene, being named ProxyM and created using the Linux.ProxyM malware.

ProxyM active since February 2017

This botnet has been active since February 2017 and at one point in late May and early June, had reached a size of 10,000 infected devices.

Its operator(s) has targeted IoT devices running stripped-down Linux distros, and infected these devices with malware that only runs a simple SOCKS5 proxy.

In June, researchers spotted the botnet relaying basic HTTP traffic, but by September, the ProxyM operator changed tactics, and the botnet was being utilized to send emails as part of spam campaigns.

Also by that time, the botnet had gone down to only 4,500 – 5,000 devices, but that didn’t matter because a few thousand devices are more than needed for botnets that operate as proxy networks.

ProxyM changes tactics in mid-November

According to new research published last week by Dr.Web, the company that has been tracking all of ProxyM’s movements, the botnet has been repurposed again, and this time, ProxyM bots are used as relay points in attempts to exploit vulnerable websites and servers.

It is unclear if ProxyM’s owners are behind the attacks or if they are merely renting the botnet, but ProxyM bots have been sending between 10,000 and 35,000 requests per day, relaying exploitation attempts for SQLi, XSS, and LFI flaws.

Requests per day - ProxyM botnet

Dr.Web says victims include gaming-related servers, public forums, and websites on various topics. There’s no specific targeting, so it appears that someone is prodding random sites, hoping to find unpatched systems.

ProxyM is part of a rising wave of IoT botnets that have come back to life this fall after taking a break over the spring and summer. Two other botnets very active this past fall are Satori (a Mirai variant) and Reaper.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,