Full Report
The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal. "At least 80% of NSOCKS bots in our telemetry originate from the Ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices," the Black Lotus Labs team at
Analysis Summary
# Tool/Technique: Ngioweb Botnet
## Overview
Ngioweb is a long-running malware family that has been heavily utilized to establish a massive residential proxy service, primarily known as NSOCKS, but also supporting services like VN5Socks and Shopsocks5. The core purpose of the operation, linked to the financially motivated threat actor Water Barghest, is to infect vulnerable SOHO routers and IoT devices (like cameras, vacuum cleaners, and access controls) and convert them into residential proxies for sale on the cybercriminal underground or for use in subsequent malicious activities.
## Technical Details
- Type: Malware Family (Botnet)
- Platform: Microsoft Windows and Linux (targeting SOHO routers and IoT devices)
- Capabilities: Initial infection, malware deployment, C2 communication, proxy server setup, monetization via proxy sales.
- First Seen: August 2018 (documented in connection with a Ramnit trojan campaign)
## MITRE ATT&CK Mapping
*Note: Specific TTPs were not detailed in the context, but the general activities map to:*
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Implied for C2 communication)
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Scheduled Task/Job (Likely mechanism for persistence on embedded systems)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (The overall modular loader structure suggests this)
## Functionality
### Core Capabilities
- **Infection Vector:** Leverages an arsenal of vulnerabilities and zero-days to breach routers and various household IoT devices.
- **Malware Deployment:** Deploys the Ngioweb malware onto infected devices.
- **Proxy Service Creation:** Registers infected bots as SOCKS5 residential proxies for sale via marketplaces like NSOCKS.
- **Rapid Monetization:** The process from initial infection to proxy availability can take as little as 10 minutes, indicating high automation.
### Advanced Features
- **Two-Tiered C2 Architecture:**
1. **Loader Network:** A set of 15-20 nodes that direct infected bots to a loader-C2 node for malware retrieval and execution.
2. **DGA C2 Gatekeeper Stage:** Later-stage C2 domains (around 15 active) generated via a Domain Generation Algorithm (DGA) act as gatekeepers to check if the bot meets eligibility criteria for the proxy network.
3. **Backconnect C2 Nodes:** If eligible, bots connect to these nodes (over 180 identified), which serve as entry/exit points for proxied traffic.
- **Targeted Vendor Exploitation:** Specifically targets devices from vendors including NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO.
- **Monetization Model:** Proxies are sold based on geography (state, city, ZIP), ISP, speed, device type, and age, typically ranging from $0.20 to $1.50 for 24-hour access.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not provided in the context]
- Network Indicators:
- Initial C2: `ngioweb[.]su` (registered in 2018)
- Backconnect C2s: Over 180 nodes used as entry/exit points for NSOCKS traffic.
- Behavioral Indicators:
- Bots maintaining daily averages of ~35,000 active connections.
- Long-term connections established with DGA-generated C2 domains.
## Associated Threat Actors
- Water Barghest (Financially motivated group tracked by Trend Micro)
- Operators of the NSOCKS, VN5Socks, and Shopsocks5 residential proxy services.
## Detection Methods
- Signature-based detection: [Not specifically detailed, but signature detection for the Ngioweb binary would apply.]
- Behavioral detection: Monitoring for unusual outbound connections from IoT devices/routers to known C2 patterns or high-volume SOCKS5 proxy usage.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Patch Management:** Regularly update firmware on SOHO routers and IoT devices to address known vulnerabilities that Ngioweb exploits.
- **Network Segmentation:** Isolate IoT devices and SOHO routers from primary corporate or sensitive networks.
- **Firewalling:** Implement egress filtering to restrict unauthorized connections from IoT devices, particularly outbound connections attempting to establish SOCKS/proxy services.
- **Credential Hardening:** Change default credentials on all IoT devices and routers.
## Related Tools/Techniques
- Residential Proxy Services (NSOCKS, VN5Socks, Shopsocks5)
- Ramnit trojan (Associated with early documentation of Ngioweb)
- Tools/techniques used for credential stuffing (as NSOCKS has been used for this purpose).
- Infrastructure used for launching large-scale DDoS attacks.