An international law enforcement operation has taken down infrastructure used by a Russian botnet known as RSocks that hacked millions of computers and other electronic devices.

The joint operation, which included the U.S. Department of Justice and law enforcement agencies in Germany, the Netherlands and the U.K., started with Federal Bureau of Investigation agents mapping the RSocks infrastructure after purchasing a large number of proxies in 2017. Initially, the FBI identified about 325,000 compromised victim devices throughout the world.

According to a June 16 announcement, RSocks was found to compromise victims by conducting brute-force attacks. The RSocks backend servers maintained a persistent connection to the compromised devices. Having identified three victim locations, investigators replaced the compromised devices with government-controlled computers, or honeypots, and then let all three be compromised by RSocks.

Fast forward to 2022, and the use of the honeypots eventually led to the takedown.

The botnet was founded to offer clients access to proxy IP addresses assigned to devices that had been hacked. A purchaser who wanted to utilize RSock’s services could visit an online store that allowed them to pay rent to access a pool of proxies for a specified daily, weekly or monthly period. The cost for access to a pool of RSocks proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for 90,000 proxies.

Once access was purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers. The customer could then use that list to route malicious traffic through compromised devices to mask or hide the true source of the traffic.

Users of the botnet are believed to have undertaken credential-stuffing attacks and phishing campaigns. The total number of devices compromised by the botnet is open to speculation, but RSocks itself claimed to have access to 8 million residential devices and more than a million mobile IPs.

“Using these devices as proxy servers is another example of how threat actors weaponize internet-connected devices to evade detection,” Elizabeth Wharton, vice president of operations at adversary emulation platform company SCYTHE Inc., told SiliconANGLE today. “For example, by using the device as a proxy server to create a local IP address, the malicious activity will likely go undetected because it doesn’t trigger an alert. Organizations should consider placing stronger external IP address restrictions to mitigate risk.”

Tom Garrubba, director of third-party risk management services at security company Echelon LP, noted that “botnets are so dangerous because they control large swaths of vulnerable computer systems at a scale unlike any other attack.”

“Those infected computer pools can then be pointed at legitimate resources and cause havoc,” Garrubba added. “Botnets can perform very disruptive attacks like distributed denial of service or large-scale vulnerability exploitation to sell to initial access brokers who will later lend that access to ransomware gangs.”

Image: RSocks