Recent investigations by Lumen Technologies have unveiled the significant role of the Ngioweb malware in powering the well-known residential proxy service NSOCKS, along with related services such as VN5Socks and Shopsocks5. This revelation highlights the ongoing misuse of this malware in various cybercriminal operations.
The telemetry data from Black Lotus Labs indicated that a staggering 80% of the NSOCKS bot network originates from the Ngioweb botnet, predominantly exploiting small office/home office (SOHO) routers and Internet of Things (IoT) devices. Notably, two-thirds of these compromised proxies are located within the United States.
On average, the Ngioweb botnet sustains approximately 35,000 active bots daily, with around 40% maintaining persistent activity for a month or longer. The malware’s notoriety dates back to 2018, first identified by Check Point in relation to a Ramnit trojan campaign. Recent analyses by firms such as LevelBlue and Trend Micro have further examined the botnet, attributing it to a financially motivated threat actor dubbed Water Barghest, which exploits vulnerabilities for profit.
Capable of infecting both Microsoft Windows and Linux devices, Ngioweb derives its name from the command-and-control (C2) domain registered in 2018 as “ngioweb[.]su.” As of October 2024, Trend Micro reports that over 20,000 IoT devices have been compromised, enabling Water Barghest to infiltrate these devices through automated scripts and enlist them as proxies for resale. The efficiency of this operation is concerning; the transition from initial compromise to being listed as a proxy can occur within ten minutes.
Researchers from Lumen and LevelBlue reveal that these infected devices are sold as residential proxy servers through NSOCKS, which has previously been linked to credential-stuffing assaults aimed at platforms like Okta. NSOCKS offers access to SOCKS5 proxies globally, allowing buyers to select proxies based on location, ISP, device type, and time since infection, with prices ranging from $0.20 to $1.50 for 24 hours.
The malware utilizes a multi-layered approach to identify and exploit vulnerabilities in routers and IoT devices like cameras and smart home devices. The operational architecture involves a loader network that directs bots to loader-C2 nodes for the malware retrieval. This technique exemplifies initial access and privilege escalation tactics as outlined in the MITRE ATT&CK framework, as the attackers exploit system vulnerabilities to gain footholds in targeted networks.
Moreover, long-term connections established by these devices with second-stage C2 domains generated using domain generation algorithms serve as a gatekeeping mechanism to assess their integration into the proxy network. Successful connections lead to the utilization of these devices through the NSOCKS service, conveying an efficient implementation of persistence tactics from the MITRE ATT&CK framework.
Compounding these issues, it has been revealed that open proxies using NSOCKS facilitate large-scale distributed denial-of-service (DDoS) attacks. Lumen Technologies is actively working to block all communications linked to the Ngioweb botnet to disrupt this nefarious activity. The overall market for residential proxy services, particularly in the underground sector, is expected to expand significantly as both advanced persistent threats and cybercriminals increasingly seek such resources.
This alarming trend underscores the potential for malicious actors to exploit tools like NSOCKS to conceal their identities and carry out targeted operations against critical entities. With options to route traffic through numerous countries, the implications for business owners are serious, particularly with the risk of targeted attacks against sectors like government or education which could pose dire consequences.
