Full Report
The FBI has detected indicators of malware targeting end-of-life routers associated with Anyproxy and 5Socks proxy services
Analysis Summary
# Tool/Technique: Anyproxy and 5Socks
## Overview
Anyproxy and 5Socks are known proxy services used by cybercriminals. The FBI has highlighted their association with a campaign exploiting obsolete (End-of-Life or EOL) routers. These services facilitate malicious activities, often by routing traffic through compromised devices.
## Technical Details
- Type: Tool (Proxy Service Facilitating Malware Deployment)
- Platform: Routers (Implied: Cisco Linksys, Ericsson Cradlepoint, based on affected models mentioned by FBI)
- Capabilities: Providing proxy infrastructure; used to host command and control or to anonymize malicious traffic originating from compromised edge devices.
- First Seen: Not explicitly stated in the provided text, but mentioned as "well-known."
## MITRE ATT&CK Mapping
*The context describes the exploitation of routers used as proxies, which maps to network control and defense evasion. Since the primary focus is on the tools used after compromise to maintain presence, we map based on the outcome.*
- **TA0011 - Command and Control**
- **T1090 - Proxy**
- T1090.002 - Proxy: Multi-hop Proxy (If chaining compromised routers)
- T1090.003 - Proxy: Domain Fronting (Potential use case, though not explicitly confirmed)
## Functionality
### Core Capabilities
- Providing proxy network infrastructure for threat actors.
- Hiding the true source of malicious traffic.
### Advanced Features
- A utilized mechanism involved exploiting unpatched vulnerabilities in EOL routers, often via pre-installed Remote Management Software (RMM) on those devices to gain shell access.
## Indicators of Compromise
- File Hashes: N/A (No specific malware hashes provided in the summary)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Domains (Associated with the proxy services, now reportedly seized): anyproxy[.]net, 5socks[.]net
- Behavioral Indicators:
- Installation of malware onto EOL routers.
- Use of compromised routers for unauthorized forwarding of network traffic.
- Authentication bypass on router remote management software (RMM).
## Associated Threat Actors
- Unspecified threat actor(s) leveraging these proxy chains against vulnerable routers.
## Detection Methods
- Signature-based detection: Likely applicable to the specific malware payload installed on the routers, though no details are provided.
- Behavioral detection: Monitoring for unexpected outbound connections or unusual traffic patterns originating from enterprise routers, especially those known to be EOL.
- YARA rules: N/A
## Mitigation Strategies
- **Prevention Measures:** Immediately replacing or securely decommissioning End-of-Life (EOL) router models that no longer receive security updates.
- **Hardening Recommendations:** Disabling or securing Remote Management Software (RMM) services on edge devices, ensuring strong authentication is enforced, and restricting management access only to trusted networks.
## Related Tools/Techniques
- Use of other proxy tools (e.g., VPNs, SOCKS proxies).
- Exploitation of known vulnerabilities in legacy/unmaintained firmware.