The United States Department of Justice (DoJ) announced on Thursday that it has removed infrastructure linked to a Russian botnet known as RSOCKS in conjunction with law enforcement partners in Germany, the Netherlands and the UK.
Operated by a sophisticated cybercrime organization, the botnet is said to have entangled millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones and computers for use as a proxy service.
A constantly evolving threat, botnets are networks of hijacked computing devices under the control of a single attacking party and used to facilitate a variety of large-scale cyber intrusions, such as distributed denial-of-service (DDoS) attacks. , email spam and cryptojacking.
“The RSOCKS botnet provided its customers with access to IP addresses assigned to devices that had been hacked,” the DoJ said. said in a press release. “The owners of these devices have not authorized the RSOCKS operator(s) to access their devices to use their IP addresses and route internet traffic.”
In addition to home businesses and individuals, several large public and private entities, including a university, a hotel, a television studio and an electronics manufacturer, have been victims of the botnet to date, prosecutors said.
Customers who want to use RSOCKS’s proxies can rent access through a web-based storefront for different time periods at different price ranges, ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.
Once purchased, criminals could then reroute malicious internet traffic through the IP addresses associated with the victim’s compromised devices to hide their true intent, which is to carry out credential stuffing attacks, access compromised social media accounts, and sending phishing messages.
The action is the culmination of a Federal Bureau of Investigation (FBI) undercover operation in early 2017, when it made secret purchases from RSOCKS to map its infrastructure and its victims, allowing it to track down about 325,000 infected devices.
“By analyzing the victim’s devices, researchers determined that the RSOCKS botnet compromised the victim’s device by conducting brute force attacks,” the DoJ said. “RSOCKS’ backend servers maintain a permanent connection to the compromised device.”
RSOCKS’ disruption comes less than two weeks after it seized an illegal online marketplace known as SSNDOB to trade personal information such as names, dates of birth, credit card numbers, and Social Security numbers of approximately 24 million individuals in the U.S.