Full Report
Executive Summary Along with the Department of Justice and the Dutch National Police, Lumen’s Black Lotus Labs team has tracked a criminal proxy network for over a year as it infected thousands of IOT and end-of-life (EoL) devices, powering a […] The post Classic Rock: Hunting a Botnet that preys on the Old appeared first on Lumen Blog.
Analysis Summary
# Tool/Technique: Criminal Proxy Network (Infected IoT/EoL Botnet)
## Overview
A criminal proxy network, tracked for over a year, utilizing a botnet composed of thousands of compromised Internet of Things (IoT) and End-of-Life (EoL) devices. The network's purpose is to offer anonymity for malicious actors engaging in illicit online activities such as ad fraud, DDoS attacks, brute forcing, and exploiting victim data. The service operates using cryptocurrency payments and allows users to connect directly to proxies without authentication.
## Technical Details
- Type: Botnet / Proxy Service Infrastructure
- Platform: Primarily targets and infects IoT and SOHO (Small Office/Home Office) devices, leveraging residential IP space.
- Capabilities: Provides anonymized SOCKS proxies, blending malicious traffic with legitimate residential traffic. Long operational lifespan (claimed since 2004).
- First Seen: Service claimed to be operational since 2004; tracking by Lumen Black Lotus Labs formalized over the last year.
## MITRE ATT&CK Mapping
This infrastructure primarily supports the *Command and Control* and *Collection* phases, and facilitates many subsequent adversary techniques.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1105 - Ingress Tool Transfer (Implied, as an entry point for malware download)
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Used against vulnerable/unpatched devices by the malware deploying the proxy client)
## Functionality
### Core Capabilities
- **Proxy Service:** Offers connections through infected residential IP addresses, facilitating anonymity.
- **Non-Authentication Access:** Users can connect directly to proxies without requiring authentication.
- **Target Selection:** Focuses on easily exploitable, unpatched, or End-of-Life (EoL) devices, often in the residential IP space.
- **Payment Model:** Requires cryptocurrency for access to their proxy services.
### Advanced Features
- **Traffic Blending:** Blends malicious traffic with legitimate residential traffic, resulting in approximately only 10% of proxy IPs being flagged as malicious on VirusTotal.
- **Longevity:** Maintained a low profile and longevity (since 2004) by avoiding zero/one-day vulnerabilities and targeting older hardware.
- **High Anonymity:** Provides high quality, stable connections that complicate tracking and mitigation efforts for defenders.
## Indicators of Compromise
*Note: Specific hashes, file names, and exact C2 addresses are often proprietary or withheld in public summaries to prevent re-exploitation, as noted by the researchers.*
- File Hashes: [Not publicly disclosed by researchers to avoid reuse]
- File Names: [Not publicly disclosed by researchers to avoid reuse]
- Registry Keys: [Not mentioned]
- Network Indicators: Command-and-Control (C2) infrastructure was located in **Turkey (Türkiye)**. Weekly average of ~1,000 unique bots communicating with C2.
- Behavioral Indicators: Communication from IoT/SOHO devices utilizing residential IPs to the known C2 structure. Evidence of connection attempts often involving brute forcing or password spraying against protected assets.
## Associated Threat Actors
The controllers/administrators of the botnet were identified as international actors, with law enforcement action involving Russian and Kazakhstani administrators. The service is used by a broad spectrum of malicious actors seeking anonymity.
## Detection Methods
- Signature-based detection: Low success rate; only about 10% of proxies detected as malicious on VirusTotal.
- Behavioral detection: Monitoring for suspicious login attempts (brute force/spraying) originating from residential IP addresses that bypass typical geofencing.
- YARA rules: [Not mentioned, but infrastructure-specific rules could be developed based on network forensics].
## Mitigation Strategies
- **Corporate Network Defenders:**
- Monitor and block suspicious login attempts originating from residential IPs.
- Protect cloud assets by blocking communications from known proxy IP addresses using Web Application Firewalls (WAFs).
- Implement sophisticated network perimeter countermeasures to stop interaction with known open proxies (e.g., Lumen Defender).
- **Consumers/SOHO Owners:**
- Regularly reboot routers.
- Ensure routers are not End-of-Life (EoL) and install all security updates/patches.
- Never rely on default passwords for router management interfaces.
- Secure management interfaces; ensure they are not accessible from the public internet.
- Replace devices immediately upon reaching manufacturer EoL.
## Related Tools/Techniques
- NSOCKS Botnet
- Faceless Proxy Service
- CloudRouter
- Proxy.AM
- Exploitation of vulnerabilities in aging/unpatched IoT/SOHO equipment.