A joint law enforcement operation undertaken by Dutch and U.S. authorities has dismantled a criminal proxy network that’s powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors.
In conjunction with the domain seizure, Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, have been charged by the U.S. Department of Justice (DoJ) for operating, maintaining, and profiting from the proxy services.
The DoJ noted that users paid a monthly subscription fee, ranging from $9.95 to $110 per month, netting the threat actors more than $46 million by selling access to the infected routers. The service is believed to have been available since 2004.
It also said the U.S. Federal Bureau of Investigation (FBI) found business and residential routers in Oklahoma that had been hacked to install malware without the users’ knowledge.
“A weekly average of 1,000 unique bots in contact with the command-and-control (C2) infrastructure, located in Turkey,” Lumen Technologies Black Lotus Labs said in a report shared with The Hacker News. “Over half of these victims are in the United States, with Canada and Ecuador showing the next two highest totals.”
The services in question – anyproxy.net and 5socks.net – have been disrupted as part of an effort codenamed Operation Moonlander. Lumen told The Hacker News that both the platforms point to the “same botnet, selling under two different named services.”
Snapshots captured on the Internet Archive show that 5socks.net advertised “more than 7,000 online proxies daily” spanning various countries and states of the U.S., enabling threat actors to anonymously carry out a wide range of illicit activity in exchange for a cryptocurrency payment.
Lumen said the compromised devices were infected with a malware called TheMoon, which has also fueled another criminal proxy service referred to as Faceless. The company has also taken the step of disrupting the infrastructure by null routing all traffic to and from their known control points.
“The two services were essentially the same pool of proxies and C2s, and besides that malware, they were using a variety of exploits that were useful against EoL devices,” Lumen told The Hacker News. “However the proxy services themselves are unrelated [to Faceless].”
It is suspected that the operators of the botnet relied on known exploits to breach EoL devices and rope them into the proxy botnet. Newly added bots have been found to contact a Turkey-based C2 infrastructure consisting of five servers, out of which four are designed to communicate with the infected victims on port 80.
“One of these 5 servers uses UDP on port 1443 to receive victim traffic, while not sending any in return,” the cybersecurity company said. “We suspect this server is used to store information from their victims.”
In an advisory issued by the FBI Thursday, the agency said the threat actors behind the botnets have exploited known security vulnerabilities in internet-exposed routers to install malware that grants persistent remote access.
The FBI also pointed out that the EoL routers have been compromised with a variant of TheMoon malware, permitting the threat actors to install proxy software on the devices and help conduct cyber crimes anonymously. TheMoon was first documented by the SANS Technology Institute in 2014 in attacks targeting Linksys routers.
“TheMoon does not require a password to infect routers; it scans for open ports and sends a command to a vulnerable script,” the FBI said. “The malware contacts the command-and-control (C2) server and the C2 server responds with instructions, which may include instructing the infected machine to scan for other vulnerable routers to spread the infection and expand the network.”
When users purchase a proxy, they receive an IP and port combination for connection. Just like in the case of NSOCKS, the service lacks any additional authentication once activated, making it ripe for abuse. It has been found that 5socks.net has been used to conduct ad fraud, DDoS and brute-force attacks, and exploit victim’s data.
To mitigate the risks posed by such proxy botnets, users are advised to regularly reboot routers, install security updates, change default passwords, and upgrade to newer models once they reach EoL status.
“Proxy services have and will continue to present a direct threat to internet security as they allow malicious actors to hide behind unsuspecting residential IPs, complicating detection by network monitoring tools,” Lumen said.
“As a vast number of end-of-life devices remain in circulation, and the world continues to adopt devices in the ‘Internet of Things,’ there will continue to be a massive pool of targets for malicious actors.”
