A new cyber threat has caught the attention of experts, Lumen’s Black Lotus Labs found a new botnet called Raptor Train, made of IOT and small office/home office (SOHO) devices. Experts believe that Raptor Train has links to China-based APT group Flax Typhoon (aka RedJuliett or Ethereal Panda). The blog talks about the threat, its technique, and the solutions.
About Raptor Train Botnet
The Raptor Train Botnet aims to launch coordinated cyber-attacks, including data theft, espionage, and DDoS attacks. Experts believe the Botnet to be active from May 2020, reaching its highest with 60,000 compromised devices in June 2023.
After May 2020, more than 200,000 devices- NVR/DVR devices, NAS servers, IP cameras, and SOHO routers have been compromised and added to the Raptor Train, becoming the largest China-linked IoT botnets founded. A C2 domain from a recent campaign was listed in the Cisco and Cloud fare Radar Umbrella “top 1 million” lists, suggesting large-scale device exploitation. Experts believe more than 100000 devices have been compromised because of Raptor Train Botnet.
Flax Typhoon: The APT Behind Botnet
Flax Typhoon is infamous for its cyber-espionage attacks, it has a past of attacking different industries- telecommunications companies, government agencies, and defense contractors. Flax Typhoon is known for its stealth and dedication, use of sophisticated malware to gain access and steal crucial data.
Raptor Train Mechanism
“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform Electron application,” reads the Lumen report. The Raptor Train Botnet exploits bugs in IoT devices, when a bug is compromised, it joins the botnet and gets instructions from C2 servers. It is then used for various malicious activities:
- Espionage, tracking, and stealing data from organizations.
- DDoS attacks, crowd the target network with traffic to make it inaccessible.
- Data theft, getting sensitive data from the victim's devices.
Raptor Train Network Breakdown
The experts categorized the Raptor Train network into 3 tiers
Tier 1: It includes SOHO/IoT devices.
Tier 2: It includes exploitation servers, Payload servers, and C2 servers
Tier 3: The last level consists of management nodes and “Sparrow” nodes
“A major concern of the Raptor Train botnet is the DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for future use,” the report concludes.
