A Russian-speaking hacker is using a new variant of the RouteX malware to infect Netgear routers and further launch attacks against Fortune 500 firms. The malware hijacks vulnerable routers and turns them into SOCKS proxies, which the attacker then leverages in further attacks involving "credential stuffing against Fortune 500 companies".
Researchers at US-based cybersecurity firm Forkbombus Labs, who uncovered the attacks, said that their analysis into the attacks led them to the discovery that the RouteX malware was linked to the Links malware, which they deem RouteX's predecessor. The researchers also said that the hacker is exploiting a particular vulnerability that affects the web server included with Netgear WNR routers, which was disclosed last year.
The hacker uses the vulnerability to infect Netgear routers running older and vulnerable firmware with RouteX, which then turns the infected device into a proxy and restricts access to the attacker. The hacker then launched credential stuffing attacks, which involves cybercriminals collecting leaked credentials from previous data breaches and testing username and password combinations against targets.
Forkbombus Lab researchers were able to link the malware to a suspected Russia-based hacker, who goes by the pseudonym Links. The researchers analysed 10 C&C (command and control) domain names found inside the RouteX malware source code and were able to connect it to emails that the hacker had used in the past. The Russian hacker is also believed to have authored the Links malware, which infected Ubiquiti Networks devices last year.
"The observed domains and email addresses bring us to a suspect, Dimitry Ustinov, a purported manager with Izhneftemash — a Russian manufacturer of oil & gas tools. However, following these leads fail to reveal any persona of substance, despite the identity being first used a decade ago," Forkbombus Labs researchers said in a report.
"The closest ties between a real world identity and this online persona are two online postings, where Dimitry Ustinov expresses his interest in purchasing five items related to oil and gas drilling. Even then, the related OilForum.ru profile which claims to be an employee of the Izhneftemash company links to an apparently fraudulent company website which is registered by the attacker himself — not the Izhneftemash company or its parent company Rimera Group."
Researchers suggested that the hacker may have previously launched phishing and/or bitsquatting attacks against the Izhneftemash and Rimera Group organisations.
"Unfortunately we cannot reveal the targets of the credential stuffing attacks themselves due to our relationships and position in the investigation," Stu Gorton, chief science officer and head of Research of Forkbombus Labs told Bleeping Computer.
"[But] we have observed victims of the credential stuffing attacks sending cease and desist letters to those who are infected by the RouteX malware. This is largely because the infected devices do not maintain a persistent connection to the C2 infrastructure."
Those using the Netgear WNR2000 router are advised to update their devices to run the latest firmware version.