Researchers Detailed Raptor Train Botnet That 60,000+ Compromised Devices

Researchers discovered a large, Chinese state-sponsored IoT botnet, “Raptor Train,” that compromised over 200,000 SOHO and IoT devices.

Operated by Flax Typhoon, the botnet leveraged a sophisticated control system, “Sparrow,” to manage its extensive network. 

The botnet posed a significant threat to various sectors, including military, government, and IT, with the potential for DDoS attacks and targeted exploitation of specific vulnerabilities.

Raptor Train botnet is a three-tiered network controlled by “Sparrow” management nodes.

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free

Compromised SOHO/IoT devices in Tier 1 are infected with the custom Mirai variant “Nosedive” through exploitation servers and payload servers in Tier 2. 

The C2 servers in Tier 2 coordinate bot activities, while Tier 3 management nodes oversee the entire operation.

To evade detection, Nosedive implants are memory-resident only and employ anti-forensics techniques, making it difficult to identify and investigate compromised devices.

Attackers are exploiting a vast range of compromised SOHO and IoT devices, including routers, cameras, and NAS devices, to form a massive botnet known as Tier 1, which is often vulnerable to both known and unknown vulnerabilities and acts as nodes in the botnet, constantly checking in with central command and control (C2) servers. 

Due to the sheer number of vulnerable devices online, the attackers can easily replace compromised devices without implementing persistent mechanisms, ensuring a continuous supply of nodes for their operations. 

Tier 2 consists of virtual servers that control compromised devices (Tier 1) and deliver malicious payloads, while its servers have two types: first-stage for general attacks and second-stage for targeted attacks with obfuscated exploits. 

Both use port 443 with a random TLS certificate for communication.

Tier 3 manages Tier 2 servers over a separate port (34125) with its own unique certificate, and the number of Tier 2 servers has grown significantly in the past four years, indicating a rise in overall malware activity. 

The Tier 3 management nodes of the botnet, known as Sparrow nodes, oversee the operations of the botnet, which facilitate manual management of Tier 2 nodes via SSH and automatic management of Tier 2 C2 nodes via TLS connections. 

Sparrow nodes, including the NCCT and Condor, provide a comprehensive web-based interface for botnet operators to manage and control various aspects of the botnet, such as executing commands, uploading/downloading files, collecting data, and initiating DDoS attacks.

The Raptor Train botnet has been active since May 2020 and has evolved its tactics over 4 campaigns: Crossbill, Finch, Canary, and Oriole, which targets SOHO and IoT devices and uses a Mirai-based malware called Nosedive. 

It communicates with compromised devices through a tiered structure, with Tier 3 management nodes issuing commands to Tier 2 C2 servers, which then relay them to Tier 1 infected devices. 

According to Black Lotus Labs, the botnet operators are likely Chinese state-sponsored actors and have targeted critical infrastructure in the US, Taiwan, and other countries.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial