Raptor Train Botnet: Over 200,000 SOHO Devices Compromised
As per recent media reports, cybersecurity researchers have discovered an unprecedented botnet that is likely being operated by a Chinese nation-state threat actor. The Raptor Train botnet is made of small office/home office (SOHO) and Internet-of-Things (IoT) devices. In this article, we’ll dive into the details of the botnet and the infrastructure behind it. Let’s begin!
Raptor Train Botnet Uncovered
The Raptor Train botnet is believed to have been active since May 2020. Over the past four years, the botnet reached its peak of 60,000 actively compromised devices in June last year. While providing further details about cybersecurity, experts at Lumen’s Black Lotus Labs have stated that:
“Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date.”
The Raptor Train Infrastructure
Reports claim that the infrastructure powering the botnet likely encompasses thousands of devices. In addition, it also has a network powered by a three tier architecture detailed below.
Tier 1 | Compromised SOHO/IoT devices. |
Tier 2 | Exploitation, payload, and command-and-control (C2) servers. |
Tier 3 | Centralized management nodes and the front-end of a cross-platform Electron application. |
The botnet functions by having bot tasks initiated in Tier 3 management nodes. These bot tasks are then routed to the Tier 2 C2 servers and are then sent to actual bots in Tier 1.
Nodes within Tier 1 are geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. In addition, these nodes only have a lifespan of 17.44 days. Given this, it can be assumed that the Raptor Train threat actor can reinfect devices at will.
The Tier 2 nodes, mainly located in the 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea, are rotated every 75 days. It’s worth mentioning that the number of C2 nodes has not increased by more than 60 between June and August 2024.
Apart from this, it was also observed that the infrastructure doesn’t have a persistence mechanism. Commenting on such an infrastructure, cybersecurity experts have stated that:
“In most cases, the operators did not build in a persistence mechanism that survives through a reboot. The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an ‘inherent’ persistence.”
As of now, a total of four campaigns have been linked to the Raptor Train botnet since mid-2020. Some of the targeted devices include routers, IP cameras, DVRs, and NAS made by different manufacturers, including:
- ActionTec.
- ASUS.
- DrayTek.
- Fujitsu.
- Hikvision.
- Mikrotik.
- Mobotix.
- Panasonic.
- QNAP.
- Ruckus Wireless.
- Shenzhen TVT.
- Synology.
- Tenda.
- TOTOLINK.
- TP-LINK.
- Zyxel.
Conclusion
The Raptor Train botnet represents a significant threat to global cybersecurity, with over 200,000 compromised devices across multiple countries. Its vast infrastructure, combined with the absence of persistence mechanisms, suggests that the threat actor behind it can easily reinfect vulnerable devices, making it a persistent and evolving danger. In light of such threats using robust security protocols, is now a necessity that users must adhere to.
The sources for this piece include articles in The Hacker News and IoT News.