Proxy botnets, established by both state and non-state actors, provide anonymity for malicious activities, like VPNFilter, Cyclops Blink, SOHO, and Ubiquiti EdgeRouter botnets, which have been used to scrape websites, access compromised assets, and launch cyberattacks.
Water Barghest, a botnet leveraging compromised Ubiquiti EdgeRouters, was discovered through research into Pawn Storm, which was initially used for espionage but later exploited by cybercriminals to deploy Ngioweb malware, expanding its malicious capabilities and highlighting the shared infrastructure between different threat actors.
It remained undetected for five years and leveraged a Cisco IOS XE zero-day vulnerability to compromise tens of thousands of routers, revealing their sophisticated, automated, and financially motivated cybercriminal operations.
Water Barghest automated its botnet operations, from identifying vulnerable devices to monetizing them through a residential proxy marketplace, leveraging automation to streamline its attack lifecycle and maximize its impact.
By automating the entire process from acquiring IoT vulnerabilities to selling compromised devices, it leverages n-day and zero-day exploits and scans public databases for vulnerable devices, exploits them using data center IPs, and deploys Ngioweb malware to control the compromised devices.
It deploys malware on vulnerable IoT devices to create a botnet, registers them with a C&C server, and leverages them as residential proxies, generating revenue through a marketplace.
The Ngioweb malware, a Ramnit Trojan variant, emerged in 2018, targeting Windows systems, which transforms infected machines into proxy servers, communicating with a C&C server on the .su domain, registered in 2018.
In 2019, a new Linux variant of Ngioweb malware exploited vulnerabilities in WordPress installations to create a large botnet, which, primarily composed of web servers, used a two-stage C&C server infrastructure to communicate and receive commands from the threat actor.
While in 2020, the Water Barghest threat actor targeted IoT devices, exploiting nine n-day vulnerabilities in various devices, including NAS devices from QNAP and Netgear and D-Link devices, which led to the creation of a live Ngioweb botnet.
Water Barghest’s IoT botnet, using Ngioweb, evades detection, disables system safeguards, and exfiltrates device information to a C&C server, compromising the device’s security.
The .data section holds the encrypted configuration, with the AES key at offset 0x0c. Decrypting the 512-byte blob reveals ‘sv’ value, DGA seed and count, C&C URL path, and other settings.
The python script ngioweb_config_extractor.py decrypts Ngioweb malware configuration, revealing DGA parameters, C&C server URL path, and communication details, including base64 encoded data sent to the C&C server.
According to Trend Micro, Water Barghest malware targets IoT devices from multiple brands, exploits vulnerabilities to establish C&C communication, modifies firewall rules to maintain persistent connections, downloads large files to assess bandwidth, and potentially prepares devices for sale as residential proxies on a marketplace.
