Cybersecurity researchers have discovered an unprecedented botnet made up of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor known as Flax Typhoon (also known as Ethereal Panda or RedJuliett).
The sophisticated botnet, named Raptor Train by Lumen’s Black Lotus Labs, has been active since at least May 2020, reaching a peak of 60,000 compromised devices in June 2023.
“Since then, over 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras have been enlisted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets identified so far,” according to a report from the cybersecurity company shared with The Hacker News.
The botnet’s infrastructure is believed to have captured hundreds of thousands of devices since its inception, with a network powered by a three-tiered architecture consisting of:
- Tier 1: Compromised SOHO/IoT devices
- Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
- Tier 3: Centralized management nodes and a cross-platform Electron application front-end called Sparrow (also known as Node Comprehensive Control Tool, or NCCT)
The process involves initiating bot tasks from Tier 3 “Sparrow” management nodes, routing them through Tier 2 C2 servers, and then distributing them to the bots themselves in Tier 1, which make up a significant portion of the botnet.
The targeted devices include routers, IP cameras, DVRs, and NAS devices from manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.
The majority of Tier 1 nodes are located in the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey, with an average lifespan of 17.44 days indicating the threat actor’s ability to reinfect devices at will.
According to Lumen, the bots are infected by an in-memory implant known as Nosedive, a custom variant of the Mirai botnet, through Tier 2 payload servers specifically set up for this purpose. The ELF binary has capabilities for executing commands, file uploads and downloads, and conducting DDoS attacks.
Tier 2 nodes are rotated approximately every 75 days and are predominantly based in the U.S., Singapore, the U.K., Japan, and South Korea. The number of C2 nodes has increased from 1-5 between 2020 and 2022 to at least 60 between June 2024 and August 2024.
These nodes serve as exploitation servers to recruit new devices into the botnet, payload servers, and assist in reconnaissance of targeted entities.
Multiple campaigns have been associated with the evolving Raptor Train botnet since mid-2020, distinguished by the root domains used and the devices targeted:
- Crossbill (May 2020 – April 2022) – using the C2 root domain k3121.com and associated subdomains
- Finch (July 2022 – June 2023) – using the C2 root domain b2047.com and associated C2 subdomains
- Canary (May 2023 – August 2023) – using the C2 root domain b2047.com and associated C2 subdomains, and employing multi-stage droppers
- Oriole (June 2023 – September 2024) – using the C2 root domain w8510.com and associated C2 subdomains
The Canary campaign is noteworthy for its multi-layered infection chain targeting ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers. It downloads a first-stage bash script, connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.
The new bash script attempts to download and execute a third-stage bash script from the payload server every 60 minutes.
“By June 3, 2024, the w8510.com C2 domain for [the Oriole] campaign had gained popularity among compromised IoT devices, ranking in Cisco Umbrella domain rankings,” Lumen stated.
“By August 7, 2024, it was also included in Cloudflare Radar’s top 1 million domains. This is concerning as popular domains can evade security tools through domain whitelisting, allowing them to grow, maintain access, and evade detection.”
While no DDoS attacks from the botnet have been observed so far, it has been weaponized to target U.S. and Taiwanese entities in military, government, higher education, telecommunications, defense industrial base (DIB), and information technology (IT) sectors.
In addition, Raptor Train bots have likely attempted exploitation against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same sectors, suggesting extensive scanning efforts.
Connections to Flax Typhoon – a hacking group known for targeting entities in Taiwan, Southeast Asia, North America, and Africa – are based on victimology overlap, Chinese language use, and other tactical similarities.
“This is an advanced control system used to manage over 60 C2 servers and their infected nodes at any given time,” Lumen explained.
“This service enables a range of activities, including scalable exploitation of bots, vulnerability management, remote control of C2 infrastructure, file operations, remote command execution, and the ability to launch IoT-based distributed denial of service (DDoS) attacks at scale.”