Summary:
The Black Lotus Labs team at Lumen Technologies has uncovered the architecture of the ngioweb botnet, a significant component of the NSOCKS criminal proxy service. This botnet, primarily utilizing compromised SOHO routers and IoT devices, has been linked to various malicious activities, including DDoS attacks. Lumen has blocked traffic associated with this botnet and is releasing indicators of compromise (IoCs) to aid in defensive measures against this cyber threat.
Keypoints:
- The ngioweb botnet is a major source of the NSOCKS proxy service, with 80% of its bots originating from this network.
- NSOCKS maintains over 35,000 bots across 180 countries, primarily in the U.S.
- Command-and-control (C2) nodes have been traced, revealing previously undiscovered infrastructure.
- The botnet exploits vulnerabilities in SOHO routers and IoT devices, with many devices being older and less secure.
- NSOCKS has been linked to various criminal activities, including credential stuffing and phishing.
- Lumen Technologies has taken steps to block traffic related to the ngioweb botnet.
- Collaboration with partners in the industry has been crucial in tracking and mitigating this threat.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Exploitation of Public-Facing Application (T1190): Exploits vulnerabilities in public-facing applications to gain initial access.
- Credential Dumping (T1003): Collects account credentials from compromised systems.
- Distributed Denial of Service (DDoS) (T1498): Launches DDoS attacks using compromised systems.
IoC:
- [IP Address] 79.141.162[.]154
- [IP Address] 103.172.92[.]148
- [IP Address] 66.29.128[.]243
- [IP Address] 103.172.92[.]148
- [Domain] remalaxation[.]name
- [Domain] dnslookips[.]com
- [Domain] ipscoredns[.]com
- [Domain] nslookups[.]com
- [File Name] test.zip
Full Research: https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/