21 November 2024

Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation


Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Security firms are dismantling the Ngioweb botnet, a major supplier to the NSOCKS proxy service, responsible for over 35,000 proxies used by cybercriminals and nation-state actors. This effort follows over a year of investigation into the botnet's architecture and operations.

First identified in 2017, Ngioweb has been providing residential proxies to both financially motivated groups and advanced persistent threats (APTs) since late 2022. Key actors using the service include Muddled Libra, tied to the Scattered Spider cybercrime gang, and Pawn Storm (APT28), a Russian GRU-linked group. A Chinese-affiliated group, Water Barghest, was also found exploiting the botnet.

According to Lumen’s Black Lotus Labs, Ngioweb powers at least 80% of the proxies on NSOCKS[.]net, spanning 180 countries. The botnet leverages a ‘loader’ network to redirect infected devices to command-and-control (C2) servers, which fetch and execute Ngioweb malware.

An initial infection stage involves the threat actor employing approximately 15 exploits targeting known vulnerabilities (n-day vulnerabilities). Initial access mechanisms remain unclear.

Compromised devices use a domain generation algorithm (DGA) to connect with management C2 domains. These servers assess the devices’ capabilities, connecting them to NSOCKS' backconnect infrastructure.

Ngioweb targets outdated or vulnerable web application libraries in devices from vendors like Zyxel, Reolink, and Alpha Technologies.

The researchers noted that Ngioweb’s operators failed to secure their botnet effectively. Black Lotus Labs found that the NSOCKS[.]net service lacks authentication mechanisms, allowing non-paying actors to exploit its proxies.

Back to the list

Latest Posts

Cisco says decade-old bug in ASA appliances exploited in the wild

Cisco says decade-old bug in ASA appliances exploited in the wild

The activity involving CVE-2014-2120 has been linked to the Mozi botnet.
3 December 2024
North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accountsю
3 December 2024
Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

It is believed that the North Korean state-backed threat actor Lazarus Group was behind the hack.
3 December 2024