Cyber Security News

Researchers Detailed Raptor Train Botnet That 60,000+ Compromised Devices

Researchers discovered a large, Chinese state-sponsored IoT botnet, “Raptor Train,” that compromised over 200,000 SOHO and IoT devices.

Operated by Flax Typhoon, the botnet leveraged a sophisticated control system, “Sparrow,” to manage its extensive network. 

The botnet posed a significant threat to various sectors, including military, government, and IT, with the potential for DDoS attacks and targeted exploitation of specific vulnerabilities.

Raptor Train botnet is a three-tiered network controlled by “Sparrow” management nodes.

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free

Compromised SOHO/IoT devices in Tier 1 are infected with the custom Mirai variant “Nosedive” through exploitation servers and payload servers in Tier 2. 

Overview of the Raptor Train network architecture and tiering structure.

The C2 servers in Tier 2 coordinate bot activities, while Tier 3 management nodes oversee the entire operation.

To evade detection, Nosedive implants are memory-resident only and employ anti-forensics techniques, making it difficult to identify and investigate compromised devices.

Attackers are exploiting a vast range of compromised SOHO and IoT devices, including routers, cameras, and NAS devices, to form a massive botnet known as Tier 1, which is often vulnerable to both known and unknown vulnerabilities and acts as nodes in the botnet, constantly checking in with central command and control (C2) servers. 

Due to the sheer number of vulnerable devices online, the attackers can easily replace compromised devices without implementing persistent mechanisms, ensuring a continuous supply of nodes for their operations. 

an example of a TLS certificate on port 443 of a Tier 2 C2 node

Tier 2 consists of virtual servers that control compromised devices (Tier 1) and deliver malicious payloads, while its servers have two types: first-stage for general attacks and second-stage for targeted attacks with obfuscated exploits. 

Both use port 443 with a random TLS certificate for communication.

Tier 3 manages Tier 2 servers over a separate port (34125) with its own unique certificate, and the number of Tier 2 servers has grown significantly in the past four years, indicating a rise in overall malware activity. 

The Tier 3 management nodes of the botnet, known as Sparrow nodes, oversee the operations of the botnet, which facilitate manual management of Tier 2 nodes via SSH and automatic management of Tier 2 C2 nodes via TLS connections. 

Screenshot of the interactive Sparrow “Node Comprehensive Control Tool.”

Sparrow nodes, including the NCCT and Condor, provide a comprehensive web-based interface for botnet operators to manage and control various aspects of the botnet, such as executing commands, uploading/downloading files, collecting data, and initiating DDoS attacks.

The Raptor Train botnet has been active since May 2020 and has evolved its tactics over 4 campaigns: Crossbill, Finch, Canary, and Oriole, which targets SOHO and IoT devices and uses a Mirai-based malware called Nosedive. 

It communicates with compromised devices through a tiered structure, with Tier 3 management nodes issuing commands to Tier 2 C2 servers, which then relay them to Tier 1 infected devices. 

According to Black Lotus Labs, the botnet operators are likely Chinese state-sponsored actors and have targeted critical infrastructure in the US, Taiwan, and other countries.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial  

Aman Mishra

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago