Overview of the Ngioweb Botnet and NSOCKS Network
The Ngioweb botnet has emerged as a significant player in the cybercriminal landscape, serving as the backbone for the NSOCKS residential proxy service. New insights from Lumen Technologies reveal that Ngioweb targets small office/home office (SOHO) routers and Internet of Things (IoT) devices, with a major share of its operations based in the United States.
“Approximately 80% of NSOCKS bots originate from the Ngioweb botnet,” noted Lumen Technologies’ Black Lotus Labs team in a report shared with The Hacker News. The botnet operates with an average of 35,000 active bots daily, 40% of which remain functional for over a month.
Origins and Capabilities of Ngioweb
Initially identified in August 2018 during a Ramnit trojan campaign, Ngioweb is a sophisticated malware capable of targeting devices running Microsoft Windows and Linux. Its name is derived from its command-and-control (C2) domain, “ngioweb[.]su,” registered in 2018.
Trend Micro, tracking the financially motivated actor behind the malware as Water Barghest, reports that Ngioweb currently consists of over 20,000 infected IoT devices. These devices are compromised using automated scripts that exploit vulnerabilities, subsequently turning them into residential proxies. The monetization process, from infection to integration into the proxy network, is alarmingly swift, taking as little as 10 minutes.
How the Botnet Operates
The Ngioweb botnet employs a two-tiered architecture to infect and control devices:
- Loader Network: Consisting of 15-20 nodes, this layer directs the infected device to a loader-C2 node for downloading and executing the Ngioweb malware.
- Proxy Integration: Once infected, the devices establish connections with a secondary set of C2 domains. These domains, created by a domain generation algorithm (DGA), evaluate the infected devices for suitability as proxies.
If deemed eligible, the devices are connected to backconnect C2 nodes, making them available for use via the NSOCKS platform.
Devices Targeted by the Botnet
The Ngioweb botnet casts a wide net, targeting various device vendors, including:
- NETGEAR
- Uniview
- Reolink
- Zyxel
- Comtrend
- Hikvision
These devices span household IoT products like cameras, routers, and access control systems, making them ideal targets for residential proxy services.
NSOCKS Proxy Network and Its Impact
The NSOCKS service offers SOCKS5 proxies worldwide, enabling customers to choose proxies based on location, ISP, device type, and freshness. Prices range between $0.20 and $1.50 for 24-hour access. This service provides a veil of anonymity, allowing users to obfuscate their identity while routing malicious traffic through infected devices.
According to Lumen Technologies, NSOCKS users route traffic through over 180 backconnect C2 nodes. These nodes act as entry and exit points, enabling seamless proxying of malicious activities. Moreover, the infrastructure allows other threat actors to build similar services, further expanding its criminal ecosystem.
Broader Threat Implications
Beyond enabling anonymous internet activity, NSOCKS-powered proxies have been leveraged in a variety of cyberattacks:
- Credential Stuffing: Threat actors have used these proxies to target platforms like Okta, compromising user accounts en masse.
- Distributed Denial-of-Service (DDoS) Attacks: The network has become a tool for executing high-scale DDoS attacks, amplifying their impact.
The Expanding Market for Residential Proxy Services
The demand for residential proxy services is anticipated to grow, fueled by cybercriminals and advanced persistent threat (APT) groups. These networks provide an efficient method for criminals to deploy malicious tools while masking their true location.
One of the alarming features of NSOCKS is its ability to choose endpoints across 180 countries, including domains such as .gov and .edu. This precision targeting raises concerns about more focused and devastating attacks on governmental and educational institutions.
Mitigation and Future Outlook
The revelations surrounding Ngioweb and NSOCKS highlight the urgent need for enhanced IoT security. Users should ensure their devices are regularly updated, and organizations must invest in robust cybersecurity measures to prevent exploitation.
As the market for residential proxies continues to expand, addressing vulnerabilities in IoT devices and routers is essential to curbing the activities of botnets like Ngioweb. Failure to act could lead to even more sophisticated and damaging attacks in the future.
