Pierluigi Paganini June 18, 2022

The U.S. Department of Justice (DoJ) announced to have shut down the infrastructure associated with the Russian botnet RSOCKS.

The U.S. Department of Justice (DoJ) announced to have shut down the infrastructure associated with the Russian botnet RSOCKS as part of an international police operation that involved law enforcement partners from Germany, the Netherlands, and the U.K.

The RSOCKS was composed of millions of compromised computers and other electronic devices around the world, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers.

“The U.S. Department of Justice, together with law enforcement partners in Germany, the Netherlands and the United Kingdom, have dismantled the infrastructure of a Russian botnet known as RSOCKS which hacked millions of computers and other electronic devices around the world.” reads the announcement published by DoJ.

The experts added that the RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers.

“The RSOCKS botnet compromised millions of devices throughout the world,” said U.S. Attorney Randy Grossman. “Cyber criminals will not escape justice regardless of where they operate. Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible.”  Grossman thanked the prosecution team, the FBI and the Department of Justice Criminal Division’s Computer Crimes and Intellectual Property Section for their excellent work on this case.

The operators behind the RSOCKS botnet offered their clients access to IP addresses assigned to devices that had been compromised to route internet traffic.

Clients of the RSOCKS botnet could pay a fee to its operators by using a web browser to navigate to a web-based “storefront” (i.e., a public web site that allows users to purchase access to the botnet) which allowed them to rent access to a pool of proxies for a specified period of time (i.e. 1 day, 1 week, or one month). The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

Once purchased a pool of proxies, threat actors could redirect malicious internet traffic through the IP addresses associated with the compromised devices and carry out a broad range of malicious activities, including credential stuffing attacks, accessing compromised social media accounts, and sending out phishing messages.

The investigation into the botnet revealed that its operators compromised several large public and private entities, including a university, a hotel, a television studio, and an electronics manufacturer, along with home businesses and individuals.

“As alleged in the unsealed warrant, FBI investigators used undercover purchases to obtain access to the RSOCKS botnet in order to identify its backend infrastructure and its victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices throughout the world with numerous devices located within San Diego County.” continues DoJ.

Recently, another international law enforcement operation resulted in the seizure of SSNDOB, a series of websites offering personal information, including the names, dates of birth, and Social Security numbers belonging to individuals in the United States. According to the authorities, the SSNDOB Marketplace has listed the personal information for approximately 24 million individuals in the United States, generating more than $19 million USD in sales revenue.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RSOCKS)

[adrotate banner=”5″]

[adrotate banner=”13″]