Raptor Train Botnet

Cybersecurity researchers have identified a new botnet consisting of compromised small office/home office (SOHO) and Internet of Things (IoT) devices. This botnet is believed to be controlled by a Chinese nation-state threat group known as Flax Typhoon, also referred to as Ethereal Panda or RedJuliett.

The researchers named the botnet 'Raptor Train'. It has been active since at least May 2020 and reached a peak of 60,000 compromised devices by June 2023.

To date, over 200,000 devices, including SOHO routers, NVR/DVR systems, network-attached storage (NAS) servers, and IP cameras, have been hijacked by Raptor Train, making it one of the largest state-sponsored IoT botnets linked to China.

Experts Estimate the Raptor Train to Have Affected Over 200,000 Devices

The botnet's infrastructure is believed to have compromised hundreds of thousands of devices since its inception. It operates using a three-tiered architecture:

Tier 1: Compromised SOHO and IoT devices

Tier 2: Exploitation servers, payload servers and Command-and-Control (C2) servers

Tier 3: Centralized management nodes and a cross-platform Electron application interface known as Sparrow (also called Node Comprehensive Control Tool, or NCCT)

In this setup, bot tasks are initiated from the Tier 3 'Sparrow' management nodes, routed through Tier 2 C2 servers, and ultimately delivered to the bots in Tier 1, which form the majority of the botnet's network.

The targeted devices include routers, IP cameras, DVRs, and NAS systems from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK and Zyxel.

Most of the Tier 1 nodes have been traced to locations in the U.S., Taiwan, Vietnam, Brazil, Hong Kong and Turkey. Each node has an average lifespan of 17.44 days, suggesting that the threat actor can easily reinfect the devices whenever needed.

Details About the Raptor Train Attack Chain

In many cases, the operators did not implement a persistence mechanism that survives a reboot. The persistence of the botnet, however, is supported by the extensive range of exploits available for various vulnerable SOHO and IoT devices and the large number of such devices online, giving Raptor Train a sort of 'inherent' persistence.

The nodes are infected with an in-memory implant known as Nosedive, a custom variant of the Mirai botnet, through Tier 2 payload servers specifically set up for this purpose. This ELF binary allows for command execution, file uploads and downloads, and DDoS attacks.

Tier 2 nodes are rotated approximately every 75 days and are mainly located in the U.S., Singapore, the U.K., Japan and South Korea. The number of C2 nodes has grown from about 1-5 between 2020 and 2022 to at least 60 between June and August 2024.

These Tier 2 nodes are versatile, serving not only as exploitation and payload servers but also facilitating reconnaissance of targeted entities and incorporating new devices into the botnet.

Multiple Raptor Train Attack Campaigns Have Been Uncovered

Since mid-2020, at least four distinct campaigns have been associated with the evolving Raptor Train botnet, each characterized by different root domains and targeted devices:

• Crossbill (May 2020 to April 2022) - Utilized the C2 root domain k3121.com and its associated subdomains.
• Finch (July 2022 to June 2023) - Employed the C2 root domain b2047.com and related C2 subdomains.
• Canary (May 2023 to August 2023) - Also used the C2 root domain b2047.com and its subdomains but relied on multi-stage droppers.
• Oriole (June 2023 to September 2024) - Utilized the C2 root domain w8510.com and its associated subdomains.

The Canary campaign is particularly noteworthy for its focus on ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs and ASUS routers. It is distinguished by a multi-layered infection chain that first downloads a bash script, which then connects to a Tier 2 payload server to fetch Nosedive and a second-stage bash script.

Authorities Take Action Against the Raptor Train and the Flax Typhoon

The U.S. Department of Justice (DoJ) has announced the takedown of the Raptor Train botnet following a court-authorized law enforcement operation. The DoJ has linked the Flax Typhoon threat actor to a publicly traded Beijing-based company called Integrity Technology Group.

This malware network connected thousands of infected devices to a botnet managed by the Integrity Technology Group. It was used to carry out threatening cyber activities disguised as regular Internet traffic from the infected devices.

During the operation, law enforcement seized the attackers' infrastructure and issued disabling commands to the malware on infected devices. The threat actors attempted to hinder this effort by launching a DDoS attack against the servers used by the Federal Bureau of Investigation (FBI) to execute the court order, but these attempts were unsuccessful.

According to the DoJ, Integrity Technology Group operated an online application that allowed customers to log in and control compromised devices. This application, named 'KRLab' and marketed under Integrity Technology Group's leading public brand, included a tool called 'vulnerability-arsenal' for executing harmful cyber commands.

By June 2024, the botnet had grown to over 260,000 devices, with victims located in North America (135,300), Europe (65,600), Asia (50,400), Africa (9,200), Oceania (2,400) and South America (800).

Additionally, over 1.2 million records of compromised devices were found in a MySQL database hosted on a Tier 3 management server. This server managed through the Sparrow application, was used to control the botnet and C2 servers and included a module for exploiting computer networks using both known and zero-day vulnerabilities.