Cybersecurity researchers have discovered a never-before-seen botnet consisting of an army of small office/home office (SOHO) and IoT devices likely operated by a Chinese state-owned threat actor called Linen typhoon (aka Ethereal Panda or RedJuliett).
Sophisticated botnet, duplicated Raptor train Lumen’s Black Lotus Labs is believed to have been active since at least May 2020, peaking at 60,000 actively jailbroken devices in June 2023.
“Since then, there have been over 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers and IP cameras; all of which are included in the Raptor Train botnet, making it one of China’s largest state-funded IoT. botnets discovered to date,” a cybersecurity company said in an 81-page report shared with The Hacker News.
The infrastructure powering the botnet is estimated to have hijacked hundreds of thousands of devices since its inception, with the network operating on a three-tiered architecture consisting of the following:
- Tier 1: Hacked SOHO/IoT devices
- Tier 2: Operations Servers, Payload Servers, and Command and Control Servers (C2)
- Layer 3: Centralized control nodes and an Electron cross-platform application interface called Sparrow (aka Node Comprehensive Control Tool or NCCT)
The way it works is that bot tasks are initiated from level 3 “Sparrow” control nodes, which are then routed through the appropriate level 2 C2 servers and then dispatched by the level 1 bot itself, which is a huge chunk of the botnet.
Some of the target devices include routers, IP cameras, DVRs and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK and Zyxel.
The majority of Tier 1 nodes were located in the United States, Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifetime of 17.44 days, indicating the threat actor’s ability to re-infect devices at will.
“In most cases, operators have not built in a save mechanism that survives a reboot,” Lumen noted.
“Confidence in reusability comes from a combination of the wide range of exploits available for a wide range of vulnerable SOHO and IoT devices and the sheer number of vulnerable devices on the Internet, which gives Raptor Train some ‘inherent’ persistence. “
Nodes are infected with a memory implant tracked as Nosedive, a custom option The Mirai botnetvia Layer 2 payload servers expressly built for this purpose. The ELF binary provides capabilities for executing commands, uploading and downloading files, and orchestrating DDoS attacks.
Level 2 nodes, on the other hand, change approximately every 75 days and are mostly located in the US, Singapore, UK, Japan, and South Korea. The number of C2 nodes increased from approximately 1-5 between 2020 and 2022 to at least 60 between June 2024 and August 2024.
These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate target reconnaissance.
At least four different companies have been linked to the ever-evolving Raptor Train botnet since mid-2020, each with different root domains used and target devices –
- Crossbill (May 2020 to April 2022) – Use of C2 root domain k3121.com and associated subdomains
- Finch (July 2022 to June 2023) – using the C2 root domain b2047.com and related C2 subdomains
- Canary (May 2023 to August 2023) – Using the C2 root domain b2047.com and related C2 subdomains using multi-level droppers
- Oriole (June 2023 to September 2024) – using the C2 root domain w8510.com and related C2 subdomains
Canary, which has largely targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT DVRs and ASUS routers, is notable for using its own multi-tiered infection chain to download a first-tier bash script that connects to the Tier. 2 payload server to get Nosedive and second stage bash script.
The new bash script in turn tries to download and execute the third stage bash script from the payload server every 60 minutes.
“In fact, the w8510.com C2 domain for (Oriole) has become so prominent among compromised IoT devices that it has been included in the Cisco Umbrella Domain Rankings until June 3, 2024,” Lumen said.
“It was also listed in Cloudflare Radar’s top 1 million domains until at least August 7, 2024. This is worrisome because domains on these popularity lists often bypass security measures through domain whitelisting, allowing them to grow and maintain access and subsequently avoid detection.”
No DDoS attacks originating from the botnet have been identified to date, although evidence suggests it has been weaponized to target US and Taiwanese organizations in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT). sectors.
Moreover, the bots involved in Raptor Train likely made possible attempts to exploit Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, indicating extensive scanning.
Links to Flax Typhoon – a hacking team with a track record of targeting targets in Taiwan, Southeast Asia, North America, and Africa—results from overlaps in its victimization trail, use of the Chinese language, and other tactical similarities.
“It’s a robust, enterprise-grade management system used to manage more than 60 C2 servers and their infected nodes at any given time,” Lumen said.
“This service provides a full suite of capabilities, including scalable bot exploitation, vulnerability and exploit management, remote C2 infrastructure management, file uploads and downloads, remote command execution, and the ability to adapt IoT-based distributed denial of service (DDoS). ) attacks on a scale.”
