Proxy is a trojan that targets Linux devices. It was first identified in late 2016 and by the end of January 2017, thousands of devices had been infected. Attackers use other trojans to initially compromise the device and create a new user “mother” with the password “f***er.” They then login to the infected device via Secure Shell (SSH) and download the Proxy trojan.
It contains a copy of the Satanic Socks Server utility and uses it to set up a local SOCKS5 proxy server on one of the following registered ports: 18902, 27891, 28910, 33922, 37912, 39012, 48944, 49082, 49098, 56494, 61092, and 61301.
Attackers spreading the Proxy trojan are using the same server hosting the control panel for the SpyAgent computer monitoring software and a Windows build for the TeamViewer spyware. It is likely that the trojan’s authors are using the servers to rent out access to their anonymizing network.
- January 2017: Trojan transforms Linux devices into proxies for malicious traffic. (Bleeping Computer)
- Dr. Web provides technical details on the Proxy trojan, here.