Full Report
The long-running botnet operation used malware that infected older wireless internet routers over a 20-year period, according to federal prosecutors. The post US seizes Anyproxy, 5socks botnets and indicts alleged administrators appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Anyproxy and 5socks Botnets
## Overview
Anyproxy and 5socks refer to two long-running botnet services that leveraged malware specifically designed to infect older wireless internet routers. The primary function was to reconfigure these infected routers and sell unauthorized access to them as proxy servers on associated commercial websites.
## Technical Details
- Type: Malware/Botnet Infrastructure
- Platform: Wireless Internet Routers (IoT/End-of-Life devices)
- Capabilities: Reconfiguring infected routers, providing victim IP addresses as proxy servers for sale.
- First Seen: Operation spanned over a 20-year period (as claimed by 5socks.net).
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1190 - Exploit Public-Facing Application (Implied, as older routers are targeted, suggesting exploitation or insecure configuration access)
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol (Used C2 infrastructure)
* **TA0008 - Lateral Movement** (Implied, as compromised proxies could be used for onward attacks)
*(Note: Specific T-number mappings are inferred based on the nature of a proxy botnet operation infecting routers.)*
## Functionality
### Core Capabilities
- **Infection:** Deploying malware onto older wireless internet routers to gain persistent control.
- **Proxy Leasing:** Offering compromised router IP addresses as proxy servers for third parties.
- **Monetization:** Charging monthly subscription fees ranging from $9.95 to $110 per month for access to the proxy network.
### Advanced Features
- **Global Proxy Network:** Maintaining a large network (5socks claimed over 7,000 proxies worldwide) for illicit access.
- **Long-term Persistence:** Operating the service successfully for approximately 20 years.
- **Command and Control (C2):** Maintaining C2 infrastructure tracked to locations like Turkey, with thousands of unique bots contacting it weekly.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Malware binary/name not provided in the text]
- Registry Keys: [Not applicable/Not provided for router firmware context]
- Network Indicators:
- Anyproxy C2/Sales Domain: anyproxy[.]net (Seized)
- 5socks C2/Sales Domain: 5socks[.]net (Seized)
- Observed C2 Infrastructure Location: Turkey
- Behavioral Indicators:
- Routers communicating with known C2 infrastructure.
- Unauthorized reconfiguration of router firmware.
## Associated Threat Actors
- Viktorovich Chertkov (Russian national)
- Kirill Vladimirovich Morozov (Russian national)
- Aleksandr Aleksandrovich Shishkin (Russian national)
- Dmitriy Rubtsov (Kazakhstani national)
*(Alleged administrators, indicted by the U.S. DOJ)*
## Detection Methods
- Signature-based detection: [Not explicitly mentioned, but signature detection on known malware variants would apply]
- Behavioral detection: Detection of abnormal outbound communication from network devices (routers) matching known C2 patterns or protocols associated with proxy relay.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- **Patching/Replacing End-of-Life Hardware:** Removing older wireless internet routers from service, as these were the primary targets.
- **Network Monitoring:** Implementing monitoring to detect anomalous outbound traffic originating from network edge devices (routers).
- **Firmware Integrity Checks:** Regularly verifying the integrity of router firmware against vendor releases.
## Related Tools/Techniques
- Other long-running proxy botnets targeting IoT/router devices.
- Proxy infection malware families.