RouteX is a Russian-owned botnet named after the malware used to infect Netgear routers and turn them into SOCKS proxies used to conduct credential stuffing attacks. The malware that powers this botnet exploits CVE-2017-10176 to infect Netgear WNR2000 series routers. Once RouteX is installed on the routers, it adds iptable rules to protect the already-infected device from further compromise by other hackers or malware. It also restricts access to a few IP addresses, most likely those within the original hacker's control. The routers are then used as proxies to conduct credential stuffing attacks, rotating through IP addresses to prevent being banned by brute-force protection systems. Reportedly, Fortune 500 companies have primarily been the targets of these attacks.

Reporting and Technical Details:

  • Bleeping Computer provides more information about RouteX here.
  • Forkbombus Labs provides a technical analysis of the malware that powers this botnet here.