Feds Knock RSocks Off: Another Big Botnet Bites the Dust
In mid-June, an international coalition of law enforcement agencies effectively knocked the RSocks botnet offline.
The entrenched Russian botnet had been surreptitiously controlling millions of devices around the world, until the U.S. Department of Justice (DoJ) banded together with law enforcement partners in Germany, the Netherlands and the UK to disrupt the operation, according to a June 16 announcement issued by Assistant U.S. Attorney Jonathan I. Shapiro’s San Diego, Calif., office.
The RSocks botnet had been active since at least 2016, and the threat actor behind it had positioned its product as a Proxy/VPN provider for anonymization. But to provide this functionality, the group was co-opting the computing power of a staggering number of hacked devices.
What Was the RSocks Service?
The RSocks botnet was comprised of millions of hacked devices worldwide. It initially targeted Internet of Things (IoT) devices, including industrial control systems, routers, audio/video streaming devices, and smart garage door openers, along with other household appliances that are equipped to communicate over the internet. This botnet later expanded its capabilities to include Android™ devices and conventional computers.
According to the self-promoting posts on underground forums, RSocks provided high-quality proxy services for “any needs.”
The ad used by RSocks, shown in Figure 1 below, translates into English as follows:
- We provide services to those who understand what they are doing and for what.
- Almost round-the-clock support work. Instant response to any whims and specifics of your work.
- Our team offers you fast and high-quality proxies for any needs!
- Supported protocols: socks4/5/HTTP(s) on one port.
- You can use our proxies for any mailings (ports 25 and 465 are open), various registrations, and so on...
- All logging is entirely disabled! We guarantee anonymity!
- - We provide the test for 1 hour; this time should be enough to understand the quality and speed.
- - A moneyback guarantee is provided within 24 hours if something does not suit you.
Figure 1: RSock’s ad on forums
In essence, RSocks was a botnet proxy service that specialized in “residential nodes.” Rather than leasing IP addresses from an Internet Service Provider (ISP) like a legitimate Proxy/VPN service, RSocks sold access to infected devices that had residential IPs – most likely, home users whose devices had been hacked.
Attackers can use these infected machines to send spam, launch Distributed Denial of Service (DDoS) attacks, or any other cybercriminal activity, such as (for instance) bypassing online banking anti-fraud detection systems. In fact, in cybercriminal circles, this service was likely considered the best in its class until it was disrupted.
What Was RSocks Tooling?
The threat group behind RSocks also actively promoted another tool called RSock Proxy Checker. This tool is used for live-checking infected nodes available for remote SOCKS connections, as shown in Figure 2:
Figure 2: RSock’s Proxy Checker
The tool's primary purpose is to test infected nodes to see whether they are active or dead, sorting them by country according to the victim’s geolocation.
Several anti-malware vendors detected the aforementioned tools as potentially unwanted.
Some of the in-the-wild samples that connected with the RSocks domain, as shown in Figure 3, included backdoor and coin miner functionality. For example, “RSocksProxyCheckerSetup_2.1.5.exe”.
(SHA256: bdfacd023bdc459c671350896fdda5b42383d5498d60d97a45de6f9da8d321d9), uses network infrastructure that has been associated with several different malware families.
Figure 3: VirusTotal’s mapping of rsocks[.]net
It is also notable that other threat actors often relied on RSocks service as a proxy to hide their network infrastructure, such as command-and-control (C2) servers and exfiltration nodes. They did this to help facilitate data exfiltration by sending this traffic through whitelisted IP addresses.
RSocks Domain History
The domain initially used by RSocks was registered with the email address dev[.]rsocks@gmail[.]com, which is also connected to the name “Vyacheslav Zainullin.”
At the time of writing this piece, the RSocks Twitter account was still active, as seen in Figure 4:
Figure 4: Twitter account for RSocks Proxy tool
At the time of writing this piece, the RSocks domain has been seized. The seizure of the domain and the disruption of its services might temporarily reduce certain types of attacks. However, it is not the only tool on the market offering anonymization services. And indeed, the owner of this botnet has indicated that they intend to rebuild their service.
RSocks is a product for cybercriminal activities, which is powered by a botnet of infected devices that now must be disinfected, too. This disinfection process can be exhausting and sometimes leads to dead ends, especially when IoT devices are involved. This gives a clear example of why even the most innocent-seeming devices need to be considered in security policies.
When it is time to defend machines at work and at home, it is essential to return to the basics: patching, changing default configurations, and setting strong passwords. It’s also critical to tune up configurations on your devices so that they are not allowing more capabilities than you need, thus increasing the potential attack surface. When possible, gain visibility into your system’s logs, analyze network traffic, and use AI-based endpoint protection services to prevent your device from being used for malicious activities.
If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment