Chinese botnet infects 260,000 SOHO routers, IP cameras with malware

The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called “Raptor Train” that infected over 260,000 networking devices to target critical infrastructure in the US and in other countries.

The botnet has been used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the US and Taiwan.

Over four years, Raptor Train has grown into a complex, multi-tiered network with an enterprise-grade control system for handling tens of servers and a large number of infected SOHO and consumer devices: routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers.

Multi-tiered botnet

Raptor Train started in May 2020 and appears to have remained under the radar until last year when it was discovered by researchers at Black Lotus Labs, the threat research and operations arm at Lumen Technologies, while investigating compromised routers.

While the primary payload is a variant of the Mirai malware for distributed denial-of-service (DDoS) attacks, which the researchers call Nosedive, the botnet has not been seen deploying such attacks.

In a report today, the researchers describe three tiers of activity within Raptor Train, each for specific operations, e.g. sending out tasks, managing exploitation or payload servers, and command and control (C2) systems.

The number of active compromised devices in the botnet fluctuates but researchers believe that more than 200,000 systems have been infected by Raptor Train since it started in May 2020, and it controlled over 60,000 devices at its peak in June last year.

At the moment, Black Lotus Labs is tracking around the same number of active infected devices, fluctuating by a few thousand since August.

In an alert today about the same botnet, the FBI notes that Raptor Train infected more than 260,000 devices.

Speaking at the Aspen Cyber Summit earlier this month, FBI Director Christopher Wray said that Flax Typhoon worked at the direction of the Chinese government.

To remove the threat, the FBI executed Court authorized operations that led to taking control of the botnet infrastructure. In response, Flax Typhoon tried to migrate infected devices to new servers "and even conducted a DDOS attack against us," Wray said.

"Ultimately as part of this operation we were able to identify thousands of infected devices, and then with court authorization, issued commands to remove malware from them, prying them from China's grip" - Christopher Wray

In a MySQL database retrieved from an upstream management server (Tier 3), the FBI found that in June this year, there were more than 1.2 million records of compromised devices (active and previously compromised), with 385,000 unique systems in the U.S. 

The FBI also connected the botnet to the Flax Typhoon state-sponsored hackers, saying that the control of Raptor Train was done through the Chinese company Integrity Technology Group (Integrity Tech) using China Unicom Beijing Province Network IP addresses.

With an architecture that can handle more than 60 C2s and the bots they manage, Raptor Train typically has tens of thousands of active Tier 1 devices when engaged in campaigns:

Modems/Routers ActionTec PK5000 ASUS RT-*/GT-*/ZenWifi TP-LINK DrayTek Vigor Tenda Wireless Ruijie Zyxel USG* Ruckus Wireless VNPT iGate Mikrotik TOTOLINK     IP Cameras D-LINK DCS-* Hikvision Mobotix NUUO AXIS Panasonic NVR/DVR Shenzhen TVT NVRs/DVRs   NAS devices QNAP (TS Series) Fujitsu Synology Zyxel

The researchers say that Raptor Train operators add devices in Tier 1 likely by exploiting “exploiting more than 20 different device types with both 0-day and n-day (known) vulnerabilities.”

Because Nosedive payloads do not have a persistence mechanism, these devices stay in the botnet for about 17 days and the operators recruit new ones as needed.

The Tier 2 network is for command and control, exploitation, and payload servers for Tier 1 devices.

Black Lotus Labs distinguishes between first-stage and second-stage payload servers, with the former delivering a more generic payload and the latter engaging in more targeted attacks on specific device types.

The researchers believe that this may be part of an effort to better hide the zero-day vulnerabilities used in the attacks.

Over time, Raptor Train has increased the number of C2 servers, from up to five between 2020 and 2022, to 11 last year, and more than 60 this year between June and August.

The management of the entire botnet is done manually over SSH or TLS from Tier 3 systems (called Sparrow nodes by the attacker), which send commands and collect data such as bot information and logs.

For easier operation, Raptor Train’s Sparrow nodes provide a web interface (Javascript front-end), backend, and auxiliary functions to generate payloads and exploits.

Raptor Train campaigns

Black Lotus Labs has tracked four Raptor Train campaigns since 2020 and discovered dozens of Tier 2 and Tier 3 domains and IP addresses used in the attacks.

Starting May 2023, in a campaign that researchers call Canaray, the botnet operators showed a more targeted approach and added to Raptor Train mostly ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs and ASUS RT- and GT- routers.

For the nearly two months during the Canary campaign, one Tier 2 second-stage server infected at least 16,000 devices.

The fourth recruitment effort (Oriole campaign) that the researchers observed began in June 2023 and lasted until this September. Last month, the botnet had at least 30,000 devices in Tier 1.

The researchers say that the C2 domain w8510[.]com used in the Oriole campaign “became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings” and that by August it was also in Cloudflare’s Radar top one million domains.

“This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection” - Black Lotus Labs

According to the researchers, the botnet was used last December in scanning activities that targeted the U.S. military, U.S. government, IT providers, and defense industrial bases.

However, it appears that the targeting efforts are global, as the Raptor Train was also used to target a government agency in Kazakhstan.

Additionally, Black Lotus Labs notes that the botnet was also involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) at organizations in the same activity sectors.

Currently, the Raptor Train botnet is at least partially disrupted as Black Lotus Labs is null-routing traffic to the known infrastructure points, "including their distributed botnet management, C2, payload and exploitation infrastructure."

Linked to Chinese state hackers

According to the indicators found during the investigation, Black Lotus Labs assesses with medium to high confidence that the operators of Raptor Train are likely state-sponsored Chinese hackers, specifically the Flax Typhoon group.

In support of the theory is not only the choice of targets, which aligns with Chinese interests but also the language used in the codebase and infrastructure, as well as the overlapping of various tactics, techniques, and procedures.

The researchers noticed that Tier 3 management node connections to Tier 2 systems over SSH occurred “almost exclusively” during China’s normal workweek hours.

Additionally, the description of the functions and interface menus, comments, and references in the codebase were in Chinese.

Despite being a sophisticated botnet, there are steps that users and network defenders can take to protect against Raptor Train. For instance, network administrators should check for large outbound data transfers, even if the destination IP is from the same area.

Consumers are recommended to reboot their routers regularly and install the latest updates from the vendor. Also, they should replace devices that are no longer supported and don't receive updates (end-of-life systems).