Researchers discovered a large, Chinese state-sponsored IoT botnet called Raptor Train, comprising over 60,000 compromised SOHO and IoT devices, which has been active since 2020 and has been used to conduct various cyberattacks.
The China-based Raptor Train botnet operators use a robust control system to manage a large network of infected devices, targeting various sectors in the U.S. and Taiwan for potential exploitation and future DDoS attacks.
The Raptor Train botnet consists of three tiers: Tier 1 bots, Tier 2 C2s, and Tier 3 management nodes. Nosedive implants, deployed from Tier 2 payload servers, control Tier 1 bots for various tasks, including DDoS attacks.
Nosedive, memory-resident malware employs anti-forensic techniques to evade detection, which infects devices in multiple stages, compromising SOHO/IoT devices and using exploitation servers to deliver payloads. Tiered C2 and management nodes orchestrate the attack, making it difficult to detect and investigate.
The attackers are exploiting a variety of compromised devices, including modems, routers, cameras, and NAS devices, using both known and unknown vulnerabilities to create a network of compromised nodes.
The massive scale of vulnerable devices online enables threat actors to exploit new ones regularly without needing persistence mechanisms, as compromised devices have a short lifespan, allowing them to maintain a large pool of active nodes for their operations.
Tier 2 servers act as a centralized hub for C2, exploitation, and payload delivery to Tier 1 nodes by hosting various payload servers, including first-stage and second-stage servers, used for different attack scenarios.
The Tier 3 management nodes of the botnet, which include Sparrow and Condor, provide a comprehensive control interface for botnet operators, enabling them to remotely manage Tier 2 nodes, execute commands, generate and test exploits, and collect data on compromised devices.
Raptor Train botnet evolved over 4 years with 4 campaigns (Crossbill, Finch, Canary, Oriole), where Crossbill (May 2020-April 2022) used a Mirai-based implant (Nosedive) with a single C2 domain shifting to encoded subdomains later.
The Finch botnet campaign observed a significant increase in infected devices (10,000 to 60,000) and complexity during the Canary phase (May-Aug 2023), which targeted multi-stage droppers, in-memory persistence, and a rise in Tier 2 C2 servers.
The Oriole campaign exploits VNPT routers, AXIS cameras, and QNAP/Zyxel/Fujitsu/Synology NAS devices, where Raptor Train maintains 30,000 compromised devices in Tier 1.
Cisco and Cloudflare identified the w8510.com C2 domain used by the Raptor Train botnet, indicating the botnet’s evolving TTPs and continuous development.
Black Lotus Labs attributes the Raptor Train botnet to the Chinese threat actor Flax Typhoon based on operational patterns, targeting, and language use.
The botnet operators primarily target sectors aligned with Chinese interests, such as military, government, and IT in the U.S. and Taiwan, using Chinese working hours and exploiting vulnerabilities like CVE-2024-21887.