The Ngioweb Botnet is a proxy botnet with two variants detected in the wild - one affecting Windows and one targeting Linux-based systems. While the Linux version of the threat borrows a considerable amount of code from the other, it has several additional functionalities. The major deviation is the implementation of DGA (Domain Generation Algorithm). The main goal of the Ngioweb Botnet is to compromise the targeted computers and implant a Back-Connect Proxy on them. The botnet structure involves the grouping of multiple Bots into singular Proxy Pools that are then controlled through a two-tier Command-and-Control (C&C, C2) process.
The Ngioweb Botnet is equipped with several anti-analysis techniques designed to hamper any reverse-engineering of the threat. Some of them involve the use of a niche library called 'musl libc,' functions being stored in a table in advance, a constant table used by CRC and AES, Stack String Obfuscation, the aforementioned two-stage C2 process, and the use of double encryption for the second-stage C2 communication.
After being deployed on the compromised system, Ngioweb Botnet's goal is to initiate contact with the Stage-1 level of the C2 infrastructure. To do this, it makes a communication attempt every 73 seconds to a domain name generated by the DGA. An upper limit of 300 domain names is set. If the appropriate command is received from the first-stage C2, the Ngioweb Botnet moves on to establishing communication with the upper-level structure of the attacker's servers and the creation of the Back-Connect Proxy function. The stage-2 communication is encrypted through a combination of XOR and AES. A total of 24 IP addresses were discovered to be part of it.
The Linux variant of the Ngioweb Botnet has managed to infect a total of 2692 IPs. The victims come from all over the world, but nearly half - 1306 are from the US. Brazil and Russia are second and third with 156 and 152 confirmed BOT IPs. Nearly all of the compromised IPs belonged to Web servers that have WordPress deployed.