A recent announcement by the USA’s Department of Justice has revealed that a malware botnet known as RSOCKS has been disrupted by a collaborative effort from law enforcement agencies from America and Europe. The RSOCKS botnet has been instrumental in the hijacking of millions of devices around the world, enslaving desktop computers, laptops and smartphones to serve them as proxy servers.

A joint task force bent on Botnet disruption

The global law enforcement operation was led by the USA’s Federal Bureau of Investigation, working in conjunction with police forces based in countries where the parts of the botnet’s infrastructure were located including Germany, the United Kingdom and the Netherlands.

Botnets are a collection of interconnected devices that are used by threat actors to remotely control and to perform numerous malicious activities against organisations, governments and educational institutions. Common activities include Dedicated Denial of Service (DDoS) attacks, the deployment of malware and crypto mining.

The RSOCKS botnet was predominantly used to transform residential devices into proxy servers, enabling the botnet’s customers to employ them for malicious behaviour or to appear as though transmissions were originating from a residential properties IP address.

Common scenarios for such services include credential stuffing, phishing operations and account takeover attempts. However, the use of a proxy service also makes it far harder for law enforcement agents to track threat operators, especially when the IP addresses used belong to individuals who are ignorant of the fact that their devices have been commandeered.

An undercover operation

FBI agents started mapping out the RSOCKS botnet infrastructure as part of an undercover investigation back in 2017 when they purchased access to a horde of proxies.

According to the US Department of Justice, the expense for accessing the botnet’s proxy pools ranged from around $30 a day for 2,000 different proxies to about $200 a day for 90,000.

At the time, the investigators identified at least 325,000 devices that were compromised, many based at home in the US. Allegedly, RSOCKS compromised the computers by using brute-force tactics to obtain passwords before installing software on the exploited machines to convert them into dedicated proxy servers.

The Department of Justice statement detailed some of the victims involved in the botnet’s activities:

“Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSOCKS.”

The RSOCKS malware botnet operation has now been severely disrupted by the global law enforcement operation. However, no arrests have yet been announced in connection with the threat operator.

Unsupervised Internet of Things (IoT) devices that are interconnected are a prime target for bot masters looking to compromise equipment to serve as proxies. To protect such devices, companies should always ensure admin passwords are powerful enough to withstand a brute force attack, deploy the latest firmware updates and establish a separate network for IoT device that is isolated from core systems.