Researchers have unearthed a powerful new botnet, named “Raptor Train,” that has compromised over 200,000 Internet of Things (IoT) and small office/home office (SOHO) devices globally. The botnet, believed to be state-sponsored, is linked to a Chinese nation-state hacking group called Flax Typhoon, also known by aliases such as Ethereal Panda or RedJuliett.
The Raptor Train botnet has been in operation since at least May 2020, with activity peaking in June 2023 when 60,000 devices were actively under its control. According to an 81-page report by Black Lotus Labs, a division of Lumen Technologies, the botnet’s sheer scale and sophistication make it one of the largest Chinese state-sponsored IoT botnets ever uncovered.
Architecture of the Raptor Train Botnet
Raptor Train operates on a highly organized, three-tiered structure:
Tier 1: This layer consists of the compromised SOHO routers, network-attached storage (NAS) devices, digital video recorders (DVRs), and IP cameras. These devices have been identified as key contributors to the botnet.
Tier 2: This layer contains exploitation servers, payload servers, and command-and-control (C2) nodes. These nodes manage the infected devices and issue commands to them.
Tier 3: At the top of the hierarchy, centralized management nodes run a cross-platform Electron application known as “Sparrow” or Node Comprehensive Control Tool (NCCT), which orchestrates the entire operation.
The malware primarily targets devices from manufacturers such as ActionTec, ASUS, DrayTek, Hikvision, Fujitsu, Mikrotik, Panasonic, Synology, TP-LINK, and Zyxel, among others. It exploits vulnerabilities in these devices to gain access, transforming them into conduits for malicious activity.
Widespread Geographic Reach
The botnet’s reach is vast, with compromised Tier 1 nodes located in regions like the U.S., Taiwan, Brazil, Vietnam, Turkey, and Hong Kong. The average lifespan of each infected device is around 17 days, reflecting the ease with which the botnet operators can reinfect compromised devices due to the abundance of vulnerable IoT devices across the internet. The lack of a persistent mechanism in the malware further highlights the actors’ confidence in their ability to reinfect devices.
At its core, the malware uses an in-memory implant called “Nosedive,” a modified version of the notorious Mirai botnet. Nosedive is capable of executing commands, transferring files, and launching Distributed Denial of Service (DDoS) attacks. Despite the botnet’s potential for causing large-scale disruptions, no significant DDoS attacks have been attributed to Raptor Train thus far. However, it has targeted sensitive sectors, including the military, government, telecommunications, and defense industries in both the U.S. and Taiwan.
Evolution of Raptor Train Campaigns
The botnet’s operations have evolved over time, with researchers identifying four major campaigns since mid-2020. These campaigns differ based on the domains used for C2 communications and the types of devices targeted:
- Crossbill Campaign (May 2020 – April 2022): Utilized the root domain k3121.com.
- Finch Campaign (July 2022 – June 2023): Adopted the root domain b2047.com.
- Canary Campaign (May 2023 – August 2023): Used multi-stage droppers and the b2047.com domain to infect devices like ActionTec modems and Hikvision IP cameras.
- Oriole Campaign (June 2023 – September 2024): Targeted a broader array of devices and relied on the w8510.com domain for command-and-control operations.
The Canary and Oriole campaigns are particularly noteworthy for employing complex, multi-layered infection chains. For example, in the Canary campaign, a first-stage script connected to a payload server to download Nosedive and additional scripts. These scripts were designed to continuously update the malware, enhancing its ability to maintain a foothold in compromised devices.
Link to Flax Typhoon and Chinese Espionage
The U.S. Department of Justice (DoJ) recently announced the takedown of the Raptor Train botnet as part of a law enforcement operation aimed at dismantling the infrastructure behind this massive network of compromised devices. The botnet is alleged to be operated by a Chinese company called Integrity Technology Group, which, according to the DoJ, used the botnet to conduct malicious cyber activities disguised as normal internet traffic.
The link between the Raptor Train botnet and Flax Typhoon is based on several overlapping factors, including the use of Chinese language in the malware’s code and the overlap between the victimology patterns. Flax Typhoon has previously been implicated in targeting entities across Taiwan, Southeast Asia, North America, and Africa, suggesting a broader geopolitical motive behind its cyber operations.
FBI and DOJ Response
In a court-authorized operation, the FBI successfully took control of the botnet’s infrastructure, issuing commands to remove the malware from thousands of infected devices. During this process, the threat actors attempted to counter the FBI’s efforts by launching a DDoS attack on the servers being used to issue the takedown commands. Despite these efforts, the FBI was able to disable the botnet, prying it out of the control of its operators.
The botnet had grown to encompass over 260,000 devices by mid-2024, with the majority of victims located in North America, Europe, and Asia. The FBI director, Christopher Wray, issued a stark warning that China would likely continue targeting critical infrastructure in the U.S. and other regions, either directly or through proxy groups like Integrity Technology Group.
The dismantling of the Raptor Train botnet highlights the ongoing threat posed by state-sponsored cyber operations targeting IoT devices. As these devices continue to proliferate, the need for improved security measures and greater vigilance against similar botnet campaigns becomes ever more pressing.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Chrome Unveils One-Time Permissions and Enhanced Safety Features for Improved Browsing