Full Report
Executive Summary The Black Lotus Labs team at Lumen Technologies has expanded the known architecture of the “ngioweb” botnet, its use as a cornerstone of the notorious criminal proxy service known as NSOCKS, and appropriation by others such as VN5Socks […] The post One Sock Fits All: The use and abuse of the NSOCKS botnet appeared first on Lumen Blog.
Analysis Summary
# Tool/Technique: ngioweb Botnet
## Overview
The ngioweb botnet is a long-standing infrastructure utilized primarily to power the criminal proxy service known as NSOCKS (and variants like VN5Socks and Shopsocks5). It infects Small Office/Home Office (SOHO) routers and IoT devices, providing a means for malicious actors to proxy traffic, obfuscate malware communications, conduct credential stuffing, and launch DDoS attacks.
## Technical Details
- Type: Malware family/Botnet
- Platform: Likely Linux-based systems, particularly SOHO routers and IoT devices.
- Capabilities: Establishing a persistent infection, retrieving subsequent malware stages, acting as a proxy/backconnect node, and enabling command and control for other criminal activities.
- First Seen: Documented since at least 2018, with current activity continuing.
## MITRE ATT&CK Mapping
The observed activities primarily map to the Command and Control and Infiltration tactics:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied via C2 over port 80)
- T1105 - Ingress Tool Transfer
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied via renaming files)
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Implied initial vector via exploits)
## Functionality
### Core Capabilities
- **Infection Chain:** An initial exploit delivers a shell script (loader) which fetches the main ngioweb malware from a "loader-C2" node (e.g., the file named "AIDY" retrieved from `79.141.162[.]154/AIDY`).
- **Persistence/Execution:** The shell script rapidly removes itself after execution.
- **C2 Communication:** Uses distinct C2 infrastructures: Loader-C2s communicating primarily over port 80 and port 21 (FTP), and a second-stage C2 network utilizing Domain Generation Algorithms (DGA) to determine bot eligibility for the proxy network.
- **Proxy Service:** Acts as the engine for the NSOCKS criminal proxy service, routing traffic for users across 180+ "backconnect" C2 nodes.
### Advanced Features
- **Infrastructure Diversity:** The botnet has two distinct elements: the loader network and the secondary proxy network.
- **Exploit Targeting:** Loader C2s actively search for specific exploits, suggesting the operators possess a collection of 10-15 different exploits targeting IoT/router firmware.
- **Adaptability:** The use of dynamically named files (e.g., "AIDY") provides a level of obfuscation against researchers gathering older samples.
- **Monetization:** Beyond providing proxy services, it supports credential stuffing, phishing, and DDoS attacks.
## Indicators of Compromise
*Note: Specific IoCs are omitted as they are constantly changing and should be referenced from the original source materials (GitHub page mentioned in the article).*
- File Hashes: [Refer to Black Lotus Labs GitHub repository for current IoCs]
- File Names: Four-letter names that change over time (e.g., "AIDY" mentioned historically).
- Registry Keys: [Not specified in the summary]
- Network Indicators:
- Historical/Active C2 Nodes: Over 180 "backconnect" C2 nodes used for proxying.
- Loader C2s communicate over **port 80** and **port 21 (FTP)**.
- A potential monitoring node for the loader network was observed at `103.172.92[.]148`.
- Behavioral Indicators: Devices communicating with sinkhole infrastructure monitored by Shadowserver.
## Associated Threat Actors
- **NSOCKS Operators (Criminal Proxy Service)**: The primary entity utilizing the infrastructure.
- **VN5Socks and Shopsocks5**: Other groups appropriating the architecture.
- **Muddled Libra**: A notorious group tied to NSOCKS usage.
## Detection Methods
- Signature-based detection: Monitoring for known ngioweb file names or hashes (when available).
- Behavioral detection: Identifying traffic originating from devices communicating regularly over port 80 and port 21 to suspicious external IPs, particularly those associated with DGA lookups.
- Network Detection: Monitoring egress traffic attempting to communicate with known proxy backconnect nodes or traffic patterns indicative of password spraying or DDoS launching.
## Mitigation Strategies
- Corporate Network Defenders:
- Monitor for attacks originating from residential IP addresses that bypass traditional geofencing.
- Block malicious IoCs using Web Application Firewalls and inspect traffic for attacks like password spraying aimed at cloud assets.
- Update and actively block known open proxy IP addresses.
- Consumers with SOHO routers:
- Regularly reboot routers and install security updates/patches.
- Ensure default passwords are changed and management interfaces are secured, not accessible from the internet (per CISA BoD 23-02 guidance).
- Replace end-of-life (unsupported) devices.
## Related Tools/Techniques
- Socks5Sytemz (Similar modern proxy service)
- Cloudrouter (Similar proxy service)
- Other known Linux botnets targeting IoT/Routers (e.g., Mirai variants).