Cybersecurity researchers have discovered a never-before-seen botnet made up of an army of small office/home office (SOHO) and IoT devices, believed to be operated by a Chinese state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
Sophisticated botnets Raptor Train The system, developed by Lumen’s Black Lotus Labs, is believed to have been in operation since at least May 2020, and peaked in June 2023 with the number of actively compromised devices reaching 60,000.
“Since then, more than 200,000 SOHO routers, NVR/DVR devices, Network Attached Storage (NAS) servers, and IP cameras have all been commandeered into the Raptor Train botnet, making it the largest Chinese state-sponsored IoT botnet discovered to date,” the cybersecurity firm said in an 81-page report shared with The Hacker News.
The infrastructure powering the botnet is estimated to have captured hundreds of thousands of devices since its formation, and the network is powered by a three-tiered architecture:
- Tier 1: Compromised SOHO/IoT Devices
- Tier 2: Exploit servers, payload servers, command and control (C2) servers
- Tier 3: A centralized node and a cross-platform Electron application frontend called Sparrow (aka Node Comprehensive Control Tool, or NCCT).
How this works is that bot tasks are initiated from the Tier 3 “Sparrow” admin node, routed through the appropriate Tier 2 C2 server, and then sent to the Tier 1 bots themselves, which make up the majority of the botnet.
Targeted devices include routers, IP cameras, DVRs, NAS devices and more from a variety of manufacturers, including ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK and Zyxel.
The majority of Tier 1 nodes are geographically located in the United States, Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. The average lifespan of these nodes is 17.44 days each, indicating that threat actors can reinfect devices at will.
“In most cases, operators did not build persistence mechanisms to survive reboots,” Lumen noted.
“The confidence in the likelihood of re-exploitation comes from the combination of widely available exploits for vulnerable SOHO and IoT devices, and the sheer number of vulnerable devices on the Internet, giving Raptor Train a kind of ‘intrinsic’ persistence.”
Nodes are infected with an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via a Tier 2 payload server explicitly set up for this purpose. The ELF binary has the ability to execute commands, upload and download files, and perform DDoS attacks.
Meanwhile, Tier 2 nodes are rotated approximately every 75 days and are primarily based in the US, Singapore, UK, Japan, and South Korea. The number of C2 nodes has increased from approximately 1-5 between 2020 and 2022 to over 60 between June 2024 and August 2024.
These nodes are highly flexible, acting as exploit servers, payload servers to incorporate new devices into the botnet, and facilitating reconnaissance on targeted entities.
Since mid-2020, there have been at least four distinct campaigns linked to the evolving Raptor Train botnet, each distinguished by the root domains used and the devices targeted.
- Crossbill (May 2020 to April 2022) – Use of the C2 root domain k3121.com and related subdomains
- Finch (July 2022 to June 2023) – Use of the C2 root domain b2047.com and associated C2 subdomains
- Canary (May 2023 to August 2023) – Uses the C2 root domain b2047.com and related C2 subdomains and relies on multi-stage droppers
- Oriole (June 2023 to September 2024) – Use of the C2 root domain w8510.com and associated C2 subdomains
The Canary campaign, which focused on targeting ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a unique multi-layered infection chain to download a first-stage bash script that contacts a tier-2 payload server to retrieve Nosedive and a second-stage bash script.
The new bash script attempts to download and execute a third stage bash script from the payload server every 60 minutes.
“Indeed, the C2 domain for the (Orioles) campaign, w8510.com, became so prominent among compromised IoT devices that it was included in the Cisco umbrella domain rankings by June 3, 2024,” Lumen said.
“By at least August 7, 2024, this domain was also included in Cloudflare Radar’s top 1 million domains. This is concerning because domains on this popular list are often able to circumvent security tools via domain whitelisting, expanding and maintaining access, and further evading detection.”
To date, no DDoS attacks have been detected originating from this botnet, but evidence indicates that the botnet is being weaponized to target U.S. and Taiwanese organizations in the military, government, higher education, communications, Defense Industrial Base (DIB), and information technology (IT) sectors.
Additionally, bots caught up in Raptor Train likely attempted to exploit Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same vertical, suggesting widespread scanning activity.
The connection to Flax Typhoon, a hacking group with a track record of targeting organizations in Taiwan, Southeast Asia, North America and Africa, comes from overlaps in victim footprints, use of Chinese language and other tactical similarities.
“This is a robust, enterprise-grade control system used to manage up to 60 C2 servers and their infected nodes at any given time,” Lumen said.
“The service enables a range of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file upload and download, remote command execution, and the ability to customize IoT-based distributed denial of service (DDoS) attacks at scale.”
