Latest “Raptor Train” IoT Botnet Compromises More Than 200,000 Devices Globally
A group of cybersecurity experts has unearthed an unprecedented botnet composed of a multitude of small office/home office (SOHO) and IoT gadgets that are likely overseen by a Chinese state-linked hacking group known as Flax Typhoon (also referred to as Ethereal Panda or RedJuliett).
Named Raptor Train by Lumen’s Black Lotus Labs, this sophisticated botnet is believed to have been active since at least May 2020, reaching a peak of 60,000 actively compromised devices by June 2023.
“More than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras have been roped into the Raptor Train botnet over time, making it one of the largest Chinese state-backed IoT botnets identified so far,” as stated in an 81-page report by the cybersecurity firm, which they shared with The Hacker News.
The architecture supporting the botnet is thought to have captured hundreds of thousands of devices since its establishment, with the network being fuelled by a three-tiered structure consisting of the following:
- Tier 1: Compromised SOHO/IoT devices
- Tier 2: Servers for exploitation, payload delivery, and command-and-control (C2)
- Tier 3: Centralized management nodes along with a cross-platform Electron application front-end known as Sparrow (also recognized as Node Comprehensive Control Tool, or NCCT)
The operational flow involves initiation of bot tasks from Tier 3 “Sparrow” management nodes, which are then directed through relevant Tier 2 C2 servers, and subsequently transmitted to the bots themselves in Tier 1, accounting for a substantial portion of the botnet.
The affected devices include routers, IP cameras, DVRs, and NAS systems from diverse manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.
The majority of Tier 1 nodes have been traced back to locations in the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. On average, each node has a lifespan of 17.44 days, indicating the threat actor’s capability to re-infect devices at will.
Lumen pointed out, “In most scenarios, the operators did not embed a persistence mechanism that survives a reboot.”
“The confidence in re-exploitability stems from the amalgamation of a wide array of exploits for numerous vulnerable SOHO and IoT devices and a large number of vulnerable devices on the Internet, providing Raptor Train with a sort of ‘innate’ persistence.”
The nodes are infected with an in-memory tool identified as Nosedive, a custom version of the Mirai botnet, through Tier 2 payload servers specifically set up for this purpose. The ELF binary comes with functionalities to run commands, upload and download files, and launch DDoS attacks.
Conversely, Tier 2 nodes are rotated approximately every 75 days and are predominantly located in the U.S., Singapore, the U.K., Japan, and South Korea. The count of C2 nodes skyrocketed from around 1-5 between 2020 and 2022 to a minimum of 60 between June 2024 and August 2024.
These nodes are adaptable in their roles, serving as exploitation servers to enlist new devices into the botnet, handling payload delivery, and even aiding in reconnaissance of targeted entities.
At least four distinct campaigns have been associated with the continually evolving Raptor Train botnet since mid-2020, each characterized by the root domains utilized and the devices targeted:
- Crossbill (from May 2020 to April 2022) – employed the C2 root domain k3121.com and its subdomains
- Finch (from July 2022 to June 2023) – exploited the C2 root domain b2047.com along with associated C2 subdomains
- Canary (from May 2023 to August 2023) – utilized the C2 root domain b2047.com and its C2 subdomains, while employing multi-stage droppers
- Oriole (from June 2023 to September 2024) – used the C2 root domain w8510.com and associated C2 subdomains
The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is remarkable for employing a multi-layered infection chain to download various bash scripts, connecting to a Tier 2 payload server to retrieve Nosedive and additional bash scripts.
The new bash script then attempts to download and execute further bash scripts from the payload server every hour.
“Interestingly, the w8510.com C2 domain for the Oriole campaign gained considerable prominence among compromised IoT devices, becoming part of the Cisco Umbrella domain rankings by June 3, 2024,” noted Lumen.
“By at least August 7, 2024, it was also listed among Cloudflare Radar’s top 1 million domains. This is worrisome as domains in these popular lists often bypass security tools due to domain whitelisting, allowing them to expand, maintain access, and evade detection more effectively.”
To date, no DDoS attacks originating from the botnet have been detected, but there is evidence that it has been weaponized to target entities in the U.S. and Taiwan across military, governmental, higher education, telecommunications, defense industrial, and IT sectors.
Furthermore, bots intertwined within Raptor Train have likely made exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances within the same sectors, pointing towards extensive scanning endeavors.
The associations with Flax Typhoon – a cybercriminal gang known for targeting entities in Taiwan, Southeast Asia, North America, and Africa – arise from overlaps in target demographics, use of the Chinese language, and other tactical resemblances.
“This is a robust, enterprise-grade control system employed to oversee over 60 C2 servers and their infected nodes simultaneously,” as highlighted by Lumen.
“This service facilitates a range of activities such as scalable bot exploitation, management of vulnerabilities and exploits, remote management of C2 infrastructure, file transfer capabilities, remote command execution, and the ability to orchestrate IoT-based distributed denial of service (DDoS) attacks on a large scale.”
About Author
