Threat Research

Ngioweb Stays Active After 7 Years

Securonix

Summary:

The Ngioweb proxy server botnet remains a significant threat seven years after its inception, with minimal changes to its original code. Threat actors exploit vulnerable devices to create residential proxies, which are then sold on the black market. The botnet has expanded its reach, targeting various IoT devices and routers, while maintaining a robust command and control infrastructure.

Keypoints:

  • Ngioweb continues to thrive with little modification since its first appearance.
  • Threat actors actively scan for vulnerable devices to turn them into proxies.
  • Nsocks offers 30,000 IPs globally for under $1.50 for 24 hours of access.
  • Over 75% of infected users are residential ISP users.
  • Linear eMerge, Zyxel routers, and Neato vacuums are among the most targeted devices.
  • The botnet has grown exponentially, from 3,000 daily IPs in 2020 to nearly 30,000 in 2024.
  • Dedicated scanners are used to exploit specific vulnerabilities without exposing the entire arsenal.

    • MITRE Techniques

  • Initial Access (T1189): Drive-by Compromise.
  • Initial Access (T1190): Exploit Public-Facing Application.
  • Persistence (T1543): Create or Modify System Process.
  • Persistence (T1543.001): Launch Agent.
  • Defense Evasion (T1140): Deobfuscate/Decode Files or Information.
  • Defense Evasion (T1497): Virtualization/Sandbox Evasion.
  • Defense Evasion (T1497.001): System Checks.
  • Defense Evasion (T1222): File and Directory Permissions Modification.
  • Defense Evasion (T1222.002): Linux and Mac File and Directory Permissions Modification.
  • Defense Evasion (T1562): Impair Defenses.
  • Defense Evasion (T1562.001): Disable or Modify Tools.
  • Discovery (T1082): System Information Discovery.
  • Command and Control (T1090): Proxy.
  • Impact (T1496): Resource Hijacking.

    • IoC:

  • [domain] misukumotist[.]info
  • [domain] exagenafy[.]com
  • [domain] prenurevaty[.]info
  • [domain] monobimefist[.]com
  • [domain] Remalexation[.]name
  • [ip address] 141.98.82[.]229
  • [ip address] 91.227.77[.]217
  • [ip address] 154.7.253[.]113
  • [ip address] 216.107.139[.]52
  • [file hash] be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44

    • Full Research: https://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later

    Tags: PROXY, BOTNET, IOT, DEFENSE EVASION, LINUX, full, EXPLOIT, PERSISTENCE