Threat Research

“One Sock Fits All: Exploring the Utilization and Misuse of the NSOCKS Botnet – Lumen Blog”

Securonix

Lumen Technologies’ Black Lotus Labs mapped the ngioweb botnet architecture and identified it as a major component of the NSOCKS criminal proxy service that leverages compromised SOHO routers and IoT devices. Lumen has blocked associated traffic, traced C2 infrastructure, and published IoCs to help defenders mitigate credential abuse, phishing and DDoS activity. #ngioweb #NSOCKS

Keypoints

  • The ngioweb botnet supplies the majority of bots used by the NSOCKS proxy service, accounting for roughly 80% of its botnet.
  • NSOCKS operates over 35,000 bots across about 180 countries, with a large concentration in the United States.
  • Black Lotus Labs traced command-and-control (C2) nodes and discovered previously undocumented infrastructure supporting the botnet.
  • The botnet primarily compromises older, insecure SOHO routers and IoT devices to recruit them as proxies and attack nodes.
  • NSOCKS/ngioweb infrastructure has been used for credential stuffing, phishing, DDoS attacks, and other criminal activity.
  • Lumen has actively blocked traffic linked to the ngioweb botnet and shared IoCs to aid defensive actions.
  • Industry collaboration and partner sharing were key to tracking, attributing, and mitigating the threat.

MITRE Techniques

  • [T1071] Command and Control – Maintains communications with compromised systems via multiple C2 domains and infrastructure (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
  • [T1190] Exploitation of Public-Facing Application – Gains initial access by exploiting vulnerabilities in internet-facing SOHO router and IoT device interfaces (‘Exploits vulnerabilities in public-facing applications to gain initial access.’)
  • [T1003] Credential Dumping – Harvests account credentials from compromised systems to support credential stuffing and account takeover campaigns (‘Collects account credentials from compromised systems.’)
  • [T1498] Distributed Denial of Service (DDoS) – Leverages the botnet of compromised devices to launch DDoS attacks against targets (‘Launches DDoS attacks using compromised systems.’)

Indicators of Compromise

  • [IP Address] C2 and bot endpoints – 79.141.162[.]154, 66.29.128[.]243, and 1 more IP
  • [IP Address] C2 and bot endpoints – 103.172.92[.]148 (listed multiple times in report)
  • [Domain] Domains associated with C2/proxy infrastructure – remalaxation[.]name, dnslookips[.]com, and 2 more domains
  • [File Name] Payload/archive name seen in analysis – test.zip

Read more: https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint