skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Lumen Technologies Analyzes ngioweb Botnet and NSOCKS Service

Lumen Technologies Analyzes ngioweb Botnet and NSOCKS Service

/ 4 min read

stories , cybersecurity , malware , cybercrime , botnet , anonymity

Quick take - Lumen Technologies’ Black Lotus Labs has advanced its understanding of the ngioweb botnet, which primarily exploits SOHO routers and IoT devices, revealing that it accounts for about 80% of the bots used in the NSOCKS criminal proxy service, while also identifying command-and-control nodes and releasing indicators of compromise to aid in mitigating associated risks.

Fast Facts

  • Lumen Technologies’ Black Lotus Labs has identified the ngioweb botnet, which supplies about 80% of the 35,000 daily bots used by the NSOCKS criminal proxy service across 180 countries.
  • The ngioweb botnet primarily targets small office/home office (SOHO) routers and IoT devices, with two-thirds of its proxies located in the U.S.
  • Lumen has blocked all traffic from the ngioweb botnet and is releasing indicators of compromise (IoCs) to help organizations mitigate risks.
  • NSOCKS, which emerged in fall 2022, allows users to purchase proxies for fraudulent activities and has been linked to DDoS attacks, utilizing a network of backconnect C2 nodes.
  • Recommendations for network defenders include monitoring for weak credentials, blocking known open proxies, and securing SOHO router management interfaces.

Lumen Technologies’ Black Lotus Labs Investigates ngioweb Botnet

Lumen Technologies’ Black Lotus Labs has made significant strides in understanding the “ngioweb” botnet and its connection to the NSOCKS criminal proxy service.

Overview of NSOCKS and ngioweb Botnet

NSOCKS is a widely used criminal proxy service, operating with an average of over 35,000 bots daily across 180 countries. Approximately 80% of these bots originate from the ngioweb botnet, which primarily exploits small office/home office (SOHO) routers and Internet of Things (IoT) devices. Notably, two-thirds of its proxies are located in the United States.

Lumen Technologies has identified both active and historical command-and-control (C2) nodes linked to these networks, some of which were previously unknown and have been operational since mid-2022. Users of NSOCKS utilize over 180 “backconnect” C2 nodes to obscure their identities while routing malicious traffic. The NSOCKS infrastructure supports proxying and allows threat actors to create their own services, and it has been linked to distributed denial-of-service (DDoS) attacks.

Response and Mitigation Efforts

In response to these findings, Lumen Technologies has blocked all traffic associated with the ngioweb botnet on its global network. They are also releasing indicators of compromise (IoCs) to help other organizations identify and mitigate this risk. The ngioweb botnet operates through a “loader” network that directs infected devices to retrieve and execute ngioweb malware. Initial access to this botnet is believed to occur through various exploits, though the exact vector remains unclear.

Black Lotus Labs has been tracking 15-20 loader nodes, some undocumented in public databases. The ngioweb botnet communicates over ports 80 and 21 (FTP), and infected devices connect to a second stage of C2 domains managed by a domain generation algorithm (DGA). The malware analyzed has not shown significant changes since 2019 and lacks hardcoded C2 URLs, using DNS TXT records to prevent sinkholing or takeover of DGA domains. The botnet targets known vulnerabilities in older devices rather than zero-day exploits, with fifteen percent of observed devices running outdated web application libraries.

The Emergence of NSOCKS

Eighty percent of bots communicating with ngioweb are also part of the NSOCKS network, which first emerged in fall 2022, previously operating under the name LuxSocks. The NSOCKS service is advertised on criminal forums and is used by groups like Muddled Libra. Users can purchase proxies for 24 hours using cryptocurrency for fraudulent activities, and NSOCKS allows users to filter proxies by domain, facilitating targeted attacks.

The architecture of NSOCKS may permit the siphoning of proxies to other services, such as Shopsocks5 and VN5Socks. The Shadowserver Foundation is actively involved in sinkholing known ngioweb botnet DGA domains. Recommendations for corporate network defenders include monitoring for weak credentials and blocking known open proxies. Consumers are advised to regularly reboot routers and install security updates, while organizations managing SOHO routers should avoid using default passwords and secure management interfaces.

The analysis of NSOCKS and ngioweb malware was conducted by Chris Formosa and Steve Rudd, with technical editing provided by Ryan English.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks