Threat Dossier: RouteX

Peering into a Russian Proxy Botnet

We recently released our white paper, New and Old Techniques in the Fight Against Credential Stuffing, where we discuss techniques attackers use to perform credential stuffing, and the methods defenders use to counter these attacks. One of the detailed troubles that defenders commonly face is the use of hacked consumer devices being used as proxies to blend in with the masses, disguising their connections as legitimate.

In this report we detail our investigation into one such botnet which our Hivemind platform encountered, hacking consumer and small business routers turning them into a network of private proxies. During our investigation, we identified many indicators of compromise, a new suite of scripts to facilitate the private proxy botnet, and strong ties to a Russian persona. We also uncover other fraudulent activity of the suspect dating back to as early as 2007.

The information in this article is provided as is and without warranty and does not represent professional advice or services.
Forkbombus Labs is not responsible for any loss or damages from actions taken based on information within this publication.

In the interest of saving space and protecting non-suspect identities, some images may be redacted or cropped. Forkbombus Labs asserts that no provided evidence has been altered or misrepresented, and only non-contributing information has been redacted.

While all information represented in this document is believed to be accurate, Forkbombus Labs and any contributing entities are not responsible or liable for repercussions from the use or misuse of any information provided throughout this document, or in any resulting correspondence related to this document. Receiving parties are responsible for independently verifying the information outlined in this document.