Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
The sophisticated botnet, dubbed Raptor Train by Lumen’s Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023.
“Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date,” the cybersecurity company said in a 81-page report shared with The Hacker News.
The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered architecture consisting of the following –
- Tier 1: Compromised SOHO/IoT devices
- Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
- Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)
The way it works is, that bot tasks are initiated from Tier 3 “Sparrow” management nodes, which are then routed through the appropriate Tier 2 C2 servers, and subsequently sent to the bots themselves in Tier 1, which makes up a huge chunk of the botnet.
Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.
A majority of the Tier 1 nodes have been geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifespan of 17.44 days, indicating the threat actor’s ability to reinfect the devices at will.
“In most cases, the operators did not build in a persistence mechanism that survives through a reboot,” Lumen noted.
“The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an ‘inherent’ persistence.”
The nodes are infected by an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via Tier 2 payload servers explicitly set up for this purpose. The ELF binary comes with capabilities to execute commands, upload and download files, and mount DDoS attacks.
Tier 2 nodes, on the other hand, are rotated about every 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea. The number C2 nodes has increased from approximately 1-5 between 2020 and 2022 to no less than 60 between June 2024 and August 2024.
These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate reconnaissance of targeted entities.
At least four different campaigns have been linked to the ever-evolving Raptor Train botnet since mid-2020, each of which are distinguished by the root domains used and the devices targeted –
- Crossbill (from May 2020 to April 2022) – use of the C2 root domain k3121.com and associated subdomains
- Finch (from July 2022 to June 2023) – use of the C2 root domain b2047.com and associated C2 subdomains
- Canary (from May 2023 to August 2023) – use of the C2 root domain b2047.com and associated C2 subdomains, while relying on multi-stage droppers
- Oriole (from June 2023 to September 2024) – use of the C2 root domain w8510.com and associated C2 subdomains
The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a multi-layered infection chain of its own to download a first-stage bash script, which connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.
The new bash script, in turn, attempts to download and execute a third-stage bash script from the payload server every 60 minutes.
“In fact, the w8510.com C2 domain for [the Oriole] campaign became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings,” Lumen said.
“By at least August 7, 2024, it was also included in Cloudflare Radar’s top 1 million domains. This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection.”
No DDoS attacks emanating from the botnet have been detected to date, although evidence shows that it has been weaponized to target U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.
What’s more, bots entangled within Raptor Train have likely carried out possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, suggesting widespread scanning efforts.
The links to Flax Typhoon – a hacking crew with a track record of targeting entities in Taiwan, Southeast Asia, North America, and Africa – stem from overlaps in the victimology footprint, Chinese language use, and other tactical similarities.
“This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time,” Lumen said.
“This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale.”
FBI Dismantles Massive Flax Typhoon Botnet
The U.S. Department of Justice (DoJ) on Wednesday announced the takedown of the Raptor Train botnet pursuant to a court-authorized law enforcement operation. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group.
“The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices,” the DoJ said.
Botnet devices per country |
The operation saw the attackers’ infrastructure seized to issue disabling commands to the malware on infected devices, despite unsuccessful efforts made by the threat actors to interfere with the remediation action through a DDoS attack targeting the servers the Federal Bureau of Investigation (FBI) was using to carry out the court order.
“The company built an online application allowing its customers to log in and control specified infected victim devices, including with a menu of malicious cyber commands using a tool called ‘vulnerability-arsenal,'” the DoJ said. “The online application was prominently labeled ‘KRLab,’ one of the main public brands used by Integrity Technology Group.”
The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America (135,300), Europe (65,600), Asia (50,400), Africa (9,200), and Oceania (2,400), and South America (800).
In total, more than 1.2 million records of compromised devices have been identified in a MySQL database hosted on a Tier 3 management server used to administer and control the botnet and C2 servers by means of the Sparrow application. Sparrow also contains a module to exploit computer networks through an arsenal of known and zero-day flaws.
Botnets like KV-Botnet and Raptor Train make for ideal proxies as they can be abused by the threat actors to conceal their identities while staging DDoS attacks or compromising targeted networks. They also tend to evade network security defenses given that the malicious activity is originating from IP addresses with good reputations.
“The Chinese government is going to continue to target your organizations and our critical infrastructure — either by their own hand or concealed through their proxies,” FBI director Christopher Wray said, calling out Integrity Technology Group for carrying out intelligence gathering and reconnaissance for Chinese government security agencies.
“Ultimately, as part of this operation, we were able to identify thousands of infected devices, and, then, with court authorization, issued commands to remove the malware from them, prying them from China’s grip.”
(The story was updated after publication to include details of the law enforcement-backed takedown.)