The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal.
“At least 80% of NSOCKS bots in our telemetry originate from the Ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices,” the Black Lotus Labs team at Lumen Technologies said in a report shared with The Hacker News. “Two-thirds of these proxies are based in the U.S.”
“The network maintains a daily average of roughly 35,000 working bots, with 40% remaining active for a month or longer.”
Ngioweb, first documented by Check Point way back in August 2018 in connection with a Ramnit trojan campaign that distributed the malware, has been the subject of extensive analyses in recent weeks by LevelBlue and Trend Micro, the latter of which is tracking the financially motivated threat actor behind the operation as Water Barghest.
Capable of targeting devices running both Microsoft Windows and Linux, the malware gets its name from the command-and-control (C2) domain that was registered in 2018 under the name “ngioweb[.]su.”
According to Trend Micro, the botnet comprises over 20,000 IoT devices as of October 2024, with Water Barghest using it to find and infiltrate vulnerable IoT devices using automated scripts and deploy the Ngioweb malware, registering them as a proxy. The infected bots are then enlisted for sale on a residential proxy marketplace.
“The monetization process, from initial infection to the availability of the device as a proxy on a residential proxy marketplace, can take as little as 10 minutes, indicating a highly efficient and automated operation,” researchers Feike Hacquebord and Fernando Mercês said.
Attack chains using the malware leverage an arsenal of vulnerabilities and zero-days it uses to breach routers and household IoT devices like cameras, vacuum cleaners, and access controls, among others. The botnet employs a two-tiered architecture: The first being a loader network comprising 15-20 nodes, which directs the bot to a loader-C2 node for retrieval and execution of the Ngioweb malware.
A breakdown of the residential proxy provider’s proxies by device type shows that the botnet operators have targeted a broad spectrum of vendors, including NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO.
The latest disclosures from LevelBlue and Lumen reveal that the systems infected with the Ngioweb trojan are being sold as residential proxy servers for NSOCKS, which has been previously put to use by threat actors in credential-stuffing attacks aimed at Okta.
“NSOCKS sells access to SOCKS5 proxies all over the world, allowing buyers to choose them by location (state, city, or ZIP code), ISP, speed, type of infected device, and newness,” LevelBlue said. “The prices vary between $0.20 to $1.50 for 24-hour access and depends on the device type and time since infection.”
The victim devices have also been found to establish long-term connections with a second stage of C2 domains that are created by a domain generation algorithm (DGA). These domains, amounting to about 15 in number at any given point in time, act as the “gatekeeper,” determining if the bots are worth adding to the proxy network.
Should the devices pass the eligibility criteria, the DGA C2 nodes connect them to a backconnect C2 node that, in turn, makes them available for use through the NSOCKS proxy service.
“NSOCKS users route their traffic through over 180 ‘backconnect’ C2 nodes that serve as entry/exit points used to obscure, or proxy, their true identity,” Lumen Technologies said. “The actors behind this service have not only provided a means for their customers to proxy malicious traffic, but the infrastructure has also been engineered to enable various threat actors to create their own services.”
To make matters worse, open proxies powered by NSOCKS have also emerged as an avenue for various actors to launch powerful distributed denial-of-service (DDoS) attacks at scale.
The commercial market for residential proxy services and the underground market of proxies is expected to grow in the coming years, in part driven by the demand from advanced persistent threat (APT) groups and cybercriminal groups alike.
“These networks are often leveraged by criminals who find exploits or steal credentials, providing them with a seamless method to deploy malicious tools without revealing their location or identities,” Lumen said.
“What is particularly alarming is the way a service like NSOCKS can be used. With NSOCKS, users have the option to choose from 180 different countries for their endpoint. This capability not only allows malicious actors to spread their activities across the globe but also enables them to target specific entities by domain, such as .gov or .edu, which could lead to more focused and potentially more damaging attacks.”
