A botnet is a network of compromised devices, such as computers and IoT devices, infected with malware and controlled by a central entity known as a “bot herder.”
These infected devices are often referred to as “bots,” and they can be used to execute various malicious activities.
Recently, Black Lotus Labs’ researchers discovered a new “Raptor Train” botnet that hacked more than 200,000 devices worldwide.
New Raptor Train Botnet
The “Raptor Train” is a sophisticated Chinese state-sponsored botnet targeting over 200,000 SOHO routers, NVR/DVR devices, NAS servers, and IP cameras since 2020.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free
This multi-tiered network is attributed to the “Flax Typhoon” threat group and was found to utilize a custom “Mirai” variant called “Nosedive” as its primary implant.
The botnet is managed through a three-tier structure and here below, we have mentioned them:-
- Tier 1 consists of compromised devices.
- Tier 2 comprises exploitation, payload, and command and control (C2) servers.
- Tier 3 houses management nodes.
The operators of this botnet use an advanced control system dubbed “Sparrow,” which includes a ‘Node.js’ backend and an Electron-based frontend called “Node Comprehensive Control Tool” (NCCT).
This system enables large-scale exploitation, vulnerability management, remote command execution, and potential distributed denial-of-service (DDoS) capabilities.
Raptor Train has targeted U.S. and Taiwanese entities in critical sectors like the military, government, education, and telecommunications.
While besides this the botnet employs various evasion techniques like memory-only execution and anti-forensics methods which makes it difficult for security researchers to detect.
In June 2023 researchers uncovered that this botnet was at its peak, as it controlled over 60,000 active devices with compromised devices having an average lifespan of 17 days.
The Raptor Train botnet has evolved through four campaigns, “Crossbill,” “Finch,” “Canary,” and “Oriole.”
Besides this, the botnet employs various tactics like ‘encoded alphanumeric subdomains (wsxe.k3121[. ]com),’ ‘multi-stage droppers,’ and ‘in-memory persistence.’
It targets specific devices like the “ActionTec PK5000 modems,” “Hikvision IP cameras,” and “ASUS routers” by exploiting vulnerabilities in Atlassian Confluence servers and Ivanti Connect Secure appliances (CVE-2024-21887).
Raptor Train primarily targets the U.S. and Taiwanese military, government, education, and technology sectors, conducting extensive scanning and exploitation attempts.
While the prominence of the botnet is evident from its inclusion in Cisco Umbrella domain rankings and Cloudflare Radar’s top 1 million domains, which enables it to evade the security measures via “domain whitelisting.”
Recommendations
Here below we have mentioned all the recommendations:-
- Network defenders must watch for large data transfers, even locally.
- Organizations should use SASE or similar for better security.
- SOHO users are recommended to reboot, update routers, and use EDR.
- Equipment users should replace “end-of-life” devices to avoid risks.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial