The malware, known as Ngioweb, was used to power a notorious residential proxy service called NSOCKS, as well as other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies show.
“At least 80% of the NSOCKS bots in our telemetry originate from the Ngioweb botnet, mostly using small office/home office (SOHO) routers and IoT devices,” according to a report by the Black Lotus Labs team at Lumen Technologies. shared in The Hacker News. . “Two-thirds of these proxies are in the US”
“On average, there are about 35,000 bots active daily on the network, of which 40% remain active for a month or longer.”
ngioweb, documented for the first time by the Check Point company back in August 2018 in connection with a Trojan company Ramnit which distributed the malware, has been the subject of extensive scrutiny in recent weeks LevelBlue and Trend Microthe latter of which tracks the financially motivated threat actor behind the operation as Water Barghest.
The malware, capable of targeting devices running Microsoft Windows and Linux, takes its name from a command and control (C2) domain that was registered in 2018 under the name “ngioweb(.)su”.
According to Trend Micro, the botnet includes more than 20,000 IoT devices as of October 2024, and Water Barghest uses it to find and infiltrate vulnerable IoT devices with automated scripts and deploy Ngioweb malware that registers them as proxies. The infected bots are then put up for sale on the proxy residential market.
“The monetization process, from initial infection to the device being available as a proxy server in the residential proxy market, can take as little as 10 minutes, indicating a highly efficient and automated operation,” said researchers Feike Hackebord and Fernando Merkes.
The malware’s attack chains exploit an arsenal of vulnerabilities and zero-days that it uses to hack into routers and household IoT devices such as cameras, vacuum cleaners, and access controls, among others. The botnet uses a two-tiered architecture: the first is a bootloader network consisting of 15-20 nodes that directs the bot to the C2 bootloader node to find and run the Ngioweb malware.
A breakdown of residential proxy servers by device type shows botnet operators targeting a wide range of vendors, including NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO.
Recent reports from LevelBlue and Lumen indicate that systems infected with the Ngioweb Trojan are being sold as stationary proxies for NSOCKS, which was previously used by threat actors in credential spoofing attacks directed to the Act.
“NSOCKS sells access to SOCKS5 proxies worldwide, allowing buyers to choose based on location (state, city, or zip code), ISP, speed, type of infected device, and newness,” LevelBlue said. “Prices range from $0.20 to $1.50 for 24-hour access and depend on device type and time since infection.”
Victim devices were also found to establish long-term connections to the second stage of C2 domains, which are generated by the Domain Generation Algorithm (DGA). These domains, of which there are about 15 at any given time, act as a “gatekeeper” determining whether bots should be added to the proxy network.
If the devices meet the eligibility criteria, the DGA C2 nodes connect them to the reverse connection C2 node, which in turn makes them available for use through the NSOCKS proxy service.
“NSOCKS users route their traffic through more than 180 ‘reverse’ C2 nodes that serve as entry/exit points used to hide or proxy their true identity,” Lumen Technologies said. “The partners behind this service have not only provided their customers with the means to proxy malicious traffic, but the infrastructure has also been designed to allow various threat actors to create their own services.”
To make matters worse, NSOCKS-based open proxies have also emerged as a way for various actors to launch powerful distributed denial-of-service (DDoS) attacks at scale.
The commercial market for residential proxy services and the underground proxy market are expected to grow in the coming years, driven in part by demand from advanced persistent threat groups (APTs) as well as cybercriminal groups.
“These networks are often used by criminals who find exploits or steal credentials, providing them with a seamless method to deploy malicious tools without revealing their location or identity,” Lumen said.
“What is particularly worrying is how a service like NSOCKS can be used. With NSOCKS, users have the option to choose from 180 different countries for their endpoint. Not only does this capability allow attackers to spread their activities globally, but they can also target specific entities by domain, such as .gov or .edu, which can lead to more targeted and potentially more damaging attacks.”
