Water Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Water Barghest, a sophisticated botnet, exploits vulnerabilities in IoT devices to enlist them in a residential proxy marketplace by leveraging automated scripts to identify vulnerable devices from public databases like Shodan. 

When the device is compromised, the Ngioweb malware is installed in a stealthy manner, thereby establishing a connection to command-and-control servers. 

The infected device is rapidly registered as a proxy, often within 10 minutes, enabling immediate monetization through the proxy marketplace, which highlights the significant threat posed by Water Barghest to IoT security.

It automates the process of exploiting vulnerable IoT devices, starting with acquiring n-day or zero-day exploits by using Shodan to identify vulnerable devices and their IP addresses, then launches attacks using data-center IP addresses.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

Successful attacks lead to the installation of Ngioweb malware, which registers with a C&C server and connects to a residential proxy provider’s entry points. 

These compromised devices are then listed on a marketplace as residential proxies, generating revenue for Water Barghest. The threat actor maintains a consistent operation with multiple workers scanning for vulnerabilities and deploying malware.

Ngioweb, a versatile malware strain, first emerged in 2018 as a Windows botnet, leveraging the Ramnit Trojan for distribution, and evolved in 2019 to target Linux systems, particularly WordPress-powered web servers, exploiting vulnerabilities in the platform or its plugins. 

The malware, utilizing a two-stage C&C infrastructure and a custom binary protocol, demonstrates its adaptability and potential for widespread impact across diverse operating systems and web applications. 

Then initializes function pointers dynamically, ignores signals, renames itself to mimic a kernel thread, closes standard file descriptors, disables the kernel watchdog, reads the device’s machine ID, decrypts its configuration using AES-256-ECB, and generates and resolves DGA domains for C&C communication. 

Ngioweb malware is a trojan that infects devices and turns them into rotating proxies by using a two-tier C2 architecture to communicate with the attackers. 

The first stage C2 server provides configuration parameters like DGA seed, count, and C&C URL path uses DNS TXT requests to retrieve additional data from the C2 server. 

While the second-stage C2 server provides commands like CONNECT, CERT, and WAIT and also downloads a large file to estimate the victim’s bandwidth before selling the victim’s IP address on a residential proxy marketplace.  

According to Trend Micro, a residential proxy marketplace is offering access to a large number of infected IoT devices for rent, which, compromised by Ngioweb malware, are rapidly added to the marketplace after infection. 

The marketplace operates a backconnect proxy infrastructure, allowing users to route traffic through the infected devices, which enables malicious actors to anonymize their activities and evade detection. 

The increasing availability and affordability of such services poses significant challenges for security professionals, highlighting the urgent need for improved IoT device security and network hardening to mitigate these threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free