Search This Blog

Powered by Blogger.

Blog Archive

Labels

China Linked APT: Raptor Train Botnet Attacks IoT Devices

Experts discovered a new botnet called Raptor Train that uses bugs in IOT devices for large scale cyberattacks like espionage, data theft and DDoS.

China Linked APT: Raptor Train Botnet Attacks IoT Devices China Linked APT: Raptor Train Botnet Attacks IoT Devices

A new cyber threat has caught the attention of experts, Lumen’s Black Lotus Labs found a new botnet called Raptor Train, made of IOT and small office/home office (SOHO) devices. Experts believe that Raptor Train has links to China-based APT group Flax Typhoon (aka RedJuliett or Ethereal Panda). The blog talks about the threat, its technique, and the solutions.

About Raptor Train Botnet

The Raptor Train Botnet aims to launch coordinated cyber-attacks, including data theft, espionage, and DDoS attacks. Experts believe the Botnet to be active from May 2020, reaching its highest with 60,000 compromised devices in June 2023. 

After May 2020, more than 200,000 devices- NVR/DVR devices, NAS servers, IP cameras, and SOHO routers have been compromised and added to the Raptor Train, becoming the largest China-linked IoT botnets founded. A C2 domain from a recent campaign was listed in the Cisco and Cloud fare Radar Umbrella “top 1 million” lists, suggesting large-scale device exploitation. Experts believe more than 100000 devices have been compromised because of Raptor Train Botnet.

Flax Typhoon: The APT Behind Botnet

Flax Typhoon is infamous for its cyber-espionage attacks, it has a past of attacking different industries- telecommunications companies, government agencies, and defense contractors. Flax Typhoon is known for its stealth and dedication, use of sophisticated malware to gain access and steal crucial data. 

Raptor Train Mechanism

“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform Electron application,” reads the Lumen report. The Raptor Train Botnet exploits bugs in IoT devices, when a bug is compromised, it joins the botnet and gets instructions from C2 servers. It is then used for various malicious activities:

  • Espionage, tracking, and stealing data from organizations. 
  • DDoS attacks, crowd the target network with traffic to make it inaccessible. 
  • Data theft, getting sensitive data from the victim's devices.

Raptor Train Network Breakdown

The experts categorized the Raptor Train network into 3 tiers

Tier 1: It includes SOHO/IoT devices.

Tier 2: It includes exploitation servers, Payload servers, and C2 servers 

Tier 3: The last level consists of management nodes and “Sparrow” nodes

“A major concern of the Raptor Train botnet is the DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for future use,” the report concludes.

Share it:

APT attacks

Cyber Attacks

Flax Typhoon

IoT

Raptor Train