IoT

Water Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Water Barghest, a sophisticated botnet, exploits vulnerabilities in IoT devices to enlist them in a residential proxy marketplace by leveraging automated scripts to identify vulnerable devices from public databases like Shodan. 

When the device is compromised, the Ngioweb malware is installed in a stealthy manner, thereby establishing a connection to command-and-control servers. 

The infected device is rapidly registered as a proxy, often within 10 minutes, enabling immediate monetization through the proxy marketplace, which highlights the significant threat posed by Water Barghest to IoT security.

Automation by Water Barghest

It automates the process of exploiting vulnerable IoT devices, starting with acquiring n-day or zero-day exploits by using Shodan to identify vulnerable devices and their IP addresses, then launches attacks using data-center IP addresses.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

Successful attacks lead to the installation of Ngioweb malware, which registers with a C&C server and connects to a residential proxy provider’s entry points. 

These compromised devices are then listed on a marketplace as residential proxies, generating revenue for Water Barghest. The threat actor maintains a consistent operation with multiple workers scanning for vulnerabilities and deploying malware.

Ngioweb, a versatile malware strain, first emerged in 2018 as a Windows botnet, leveraging the Ramnit Trojan for distribution, and evolved in 2019 to target Linux systems, particularly WordPress-powered web servers, exploiting vulnerabilities in the platform or its plugins. 

Ngioweb’s main function

The malware, utilizing a two-stage C&C infrastructure and a custom binary protocol, demonstrates its adaptability and potential for widespread impact across diverse operating systems and web applications. 

Then initializes function pointers dynamically, ignores signals, renames itself to mimic a kernel thread, closes standard file descriptors, disables the kernel watchdog, reads the device’s machine ID, decrypts its configuration using AES-256-ECB, and generates and resolves DGA domains for C&C communication. 

File downloaded from second-stage C&C

Ngioweb malware is a trojan that infects devices and turns them into rotating proxies by using a two-tier C2 architecture to communicate with the attackers. 

The first stage C2 server provides configuration parameters like DGA seed, count, and C&C URL path uses DNS TXT requests to retrieve additional data from the C2 server

While the second-stage C2 server provides commands like CONNECT, CERT, and WAIT and also downloads a large file to estimate the victim’s bandwidth before selling the victim’s IP address on a residential proxy marketplace.  

Residential proxy marketplace’s website

According to Trend Micro, a residential proxy marketplace is offering access to a large number of infected IoT devices for rent, which, compromised by Ngioweb malware, are rapidly added to the marketplace after infection. 

The marketplace operates a backconnect proxy infrastructure, allowing users to route traffic through the infected devices, which enables malicious actors to anonymize their activities and evade detection. 

The increasing availability and affordability of such services poses significant challenges for security professionals, highlighting the urgent need for improved IoT device security and network hardening to mitigate these threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Hackers Exploiting California Wildfire Sparks to Launching Phishing Attacks

As California grapples with devastating wildfires, communities are rallying to protect lives and property. Unfortunately,…

14 hours ago

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August 2024…

15 hours ago

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's inception.…

15 hours ago

FTC Slams GoDaddy For Not Implement Standard Security Practices Following Major Breaches

The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to develop…

15 hours ago

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web applications.…

16 hours ago

W3 Total Cache Plugin Vulnerability Let Attackers Gain Unauthorized Access to Sensitive Data

A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress,…

18 hours ago