RouteX Malware Uncovered

Overview

Recently, Forkbombus Labs’ Hivemind Intelligence Deception Technology uncovered exploitation activity spreading a previously undisclosed Router Malware dubbed RouteX. RouteX has been observed infecting Netgear routers susceptible to the CVE-2016-10176 vulnerability. The main purpose of the RouteX malware is to turn infected devices into SOCKS proxies which restricts access to only the attacker. Through victim interviews, the devices infected with the RouteX malware have been used to facilitate credential stuffing. Forkbombus Labs’ investigation into the RouteX malware uncovered a related Links malware, observed infecting Ubiquiti Networks devices via weak SSH credentials. Further investigation into the malware and related activity uncovers strong ties to a long standing Russian persona which may have relations to the Oil and Gas industry.

Thanks to Hivemind, our researchers were able to uncover the indicators and motivations behind these attacks and even the attacker’s identity. This intelligence enabled our users to quickly identify appropriate responses to this threat for their individual environments.

— James Ward – CEO & Co-Founder of Forkbombus Labs

The full report may be found here.

RouteX malware

The RouteX malware infects consumer routers, turning them in to SOCKS proxies for the attacker to then leverage in further attacks. During victim interviews, Forkbombus Labs’ has identified these further attacks to involve credential stuffing against Fortune 500 companies.

Even mature security operations may pass over RouteX activity, due to the innocuous reconnaissance stage and choice of consumer targets. By using Learned Dynamic Deception to follow RouteX activity from reconnaissance through exploitation, to its ultimate use in Credential Stuffing, we were able to identify the true threat that RouteX poses to both consumers and larger corporations.

— Stu Gorton – CSO & Co-Founder of Forkbombus Labs

Notable facts about RouteX

  • Observed on Netgear routers
  • Spread by CVE-2016-10176
  • Turns vulnerable routers into SOCKS proxy using the mocks(My Own soCKs Server) SOCKS proxy software
  • Restricts access to the SOCKS server and exploited web interface to the attacker
  • Used to facilitate Credential Stuffing attacks against Fortune 500 companies
  • Strong indicators of Russian origin

For more information, and indicators of compromise, please find the full report here.

Victim Resources

If you suspect you may be a victim of the RouteX or Links malware, or other cyber criminal activity, please contact Forkbombus Labs.

Hivemind Intelligent Deception

Hivemind is Forkbombus Labs’ patent pending A.I. Driven Deception Technology. Standard honeypots and deception technologies imitate a predetermined service or environment. This becomes problematic as attackers capabilities and interests often differ than what static deceptions offer. Despite attackers stumbling upon static honeypots, these technologies are often overlooked by attackers who favor different scenarios. When attackers fail to engage with deception technologies, defenders fail to gain valuable intelligence which enables intelligent responses to attacks.

As Hivemind learns an attacker’s capabilities and motivations, Hivemind sensors instantly alter their appearance to each attacker to emulate what they are most likely to interact with. Hivemind ensures attackers are more likely to engage Hivemind sensors, leveraging attackers to divulge unparalleled information about themselves and their intentions as possible. This enhanced collections capabilities enables defenders to rapidly detect attacker’s resources, motivations, and identities, allowing defenders to respond to threats quicker and more intelligently than ever before. Attackers that engage with Hivemind increase their costs while saving defenders time and money.