Botnet serving as ‘backbone’ of malicious proxy network taken offline
Whether it’s for espionage purposes or financially motivated cybercrime, proxy services are a common tool in the attacker toolbox. Often used to disguise the true origin or location of malicious activity, proxies can be lucrative for malicious actors, who create them via a botnet and sell access in order for others to run their schemes, which can range from malware delivery to data theft to distributed denial of service (DDoS) attacks.
While it can be difficult for defenders to get a handle on these networks, it’s not impossible. Security experts at Lumen Technologies’ Black Lotus Labs, the cybersecurity firm Spur and the ShadowServer foundation took down the long-running “ngioweb” botnet Tuesday, which served as a backbone for several malicious proxy services. Additionally, researchers at Black Lotus Labs chronicled how threat actors have co-opted various proxy services using the botnet to not only obfuscate malicious traffic, but conduct a whole host of cybercrimes.
“Though this enterprise was built to offer criminals an avenue to proxy their traffic, users have abused and altered the network into its present state — one which directly supports many other forms of malicious activity such as obfuscating malware traffic, credential stuffing, and phishing,” researchers wrote in the blog. “Botnets such as these present a concerning and persistent threat to legitimate organizations across the internet.”
The research conducted by the telecom company is particularly focused on the relationship between ngioweb and the criminal proxy service NSOCKS. First discovered in 2017, the ngioweb botnet heavily consists of small office/home office (SOHO) routers and Internet of Things (IoT) devices, which have been co-opted into the botnet via what researchers categorize as a “substantial number” of router-focused vulnerabilities. Researchers found that 80% of the NSOCKS bots — which consists of 35,000 machines in 180 countries — originate from the ngioweb botnet.
Further research by Black Lotus Labs uncovered how threat actors are using NSOCKS: The proxies, which can be obtained through a rudimentary Google search and a cryptocurrency payment, can be focused on specific targets, like government (.gov) or educational (.edu) websites. Additionally, the way NSOCKS is set up allows attackers to easily plan and coordinate DDoS attacks.
“Proxy botnets are becoming increasingly popular and, consequently, more dangerous,” the blog states. “These networks are often leveraged by criminals who find exploits or steal credentials, providing them with a seamless method to deploy malicious tools without revealing their location or identities.”
Both financially motivated and nation-state threat actors have been tied to the ngioweb botnet and NSOCKS proxies. Palo Alto Networks’ Unit 42 research team linked Muddled Libra, a group related to Scattered Spider, to NSOCKS use in March. Trend Micro found that Pawn Storm (APT28), a group with ties to Russia’s Main Intelligence Directorate (GRU), uses the same devices as those co-opted into the ngioweb botnet.
“This means that many devices infected with ngioweb malware are likely being abused by multiple groups simultaneously,” the blog states.
While botnets like these are sure to surface again in the future, Black Lotus Labs says both corporate security teams and individual users can take action to keep their machines from being co-opted into malicious activity. Corporate network defenders should be aware of attacks on weak passwords and watch for suspicious logins from residential IPs, which can bypass some security measures. Individuals using SOHO routers should regularly reboot devices, install security updates, and replace routers that are no longer supported.
