Saturday, December 7, 2024
HomeBotnetWater Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Water Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Published on

SIEM as a Service

Water Barghest, a sophisticated botnet, exploits vulnerabilities in IoT devices to enlist them in a residential proxy marketplace by leveraging automated scripts to identify vulnerable devices from public databases like Shodan. 

When the device is compromised, the Ngioweb malware is installed in a stealthy manner, thereby establishing a connection to command-and-control servers. 

The infected device is rapidly registered as a proxy, often within 10 minutes, enabling immediate monetization through the proxy marketplace, which highlights the significant threat posed by Water Barghest to IoT security.

- Advertisement - SIEM as a Service
Automation by Water Barghest

It automates the process of exploiting vulnerable IoT devices, starting with acquiring n-day or zero-day exploits by using Shodan to identify vulnerable devices and their IP addresses, then launches attacks using data-center IP addresses.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

Successful attacks lead to the installation of Ngioweb malware, which registers with a C&C server and connects to a residential proxy provider’s entry points. 

These compromised devices are then listed on a marketplace as residential proxies, generating revenue for Water Barghest. The threat actor maintains a consistent operation with multiple workers scanning for vulnerabilities and deploying malware.

Ngioweb, a versatile malware strain, first emerged in 2018 as a Windows botnet, leveraging the Ramnit Trojan for distribution, and evolved in 2019 to target Linux systems, particularly WordPress-powered web servers, exploiting vulnerabilities in the platform or its plugins. 

 Ngioweb’s main function

The malware, utilizing a two-stage C&C infrastructure and a custom binary protocol, demonstrates its adaptability and potential for widespread impact across diverse operating systems and web applications. 

Then initializes function pointers dynamically, ignores signals, renames itself to mimic a kernel thread, closes standard file descriptors, disables the kernel watchdog, reads the device’s machine ID, decrypts its configuration using AES-256-ECB, and generates and resolves DGA domains for C&C communication. 

 File downloaded from second-stage C&C

Ngioweb malware is a trojan that infects devices and turns them into rotating proxies by using a two-tier C2 architecture to communicate with the attackers. 

The first stage C2 server provides configuration parameters like DGA seed, count, and C&C URL path uses DNS TXT requests to retrieve additional data from the C2 server. 

While the second-stage C2 server provides commands like CONNECT, CERT, and WAIT and also downloads a large file to estimate the victim’s bandwidth before selling the victim’s IP address on a residential proxy marketplace.  

 Residential proxy marketplace’s website

According to Trend Micro, a residential proxy marketplace is offering access to a large number of infected IoT devices for rent, which, compromised by Ngioweb malware, are rapidly added to the marketplace after infection. 

The marketplace operates a backconnect proxy infrastructure, allowing users to route traffic through the infected devices, which enables malicious actors to anonymize their activities and evade detection. 

The increasing availability and affordability of such services poses significant challenges for security professionals, highlighting the urgent need for improved IoT device security and network hardening to mitigate these threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

Deloitte Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Attackers are exploiting publicly exposed Docker Remote API servers to deploy Gafgyt malware by...