One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8604836 |
| Date de publication | 2024-11-01 19:39:00 (vue: 2024-11-01 22:07:07) |
| Titre | Ngioweb reste actif 7 ans plus tard Ngioweb Remains Active 7 Years Later |
| Texte | Executive Summary Seven years after its first appearance, the proxy server botnet Ngioweb continues its impactful presence on the internet with barely any relevant changes in its original code. Threat actors have continued to actively use Nbioweb extensively to scan for vulnerable devices (including a new arsenal of exploits) which can be turned into new proxies. All infected systems are then sold in the black market for pennies as residential proxies via Nsocks. Key Takeaways: Nsocks offers 30,000 IPs globally and sells them for prices under $1.50 for 24hours of access. The main targets are residential ISP users, representing more than 75% of the infected users. The threat actors behind Ngioweb are using dedicated scanners per vulnerability/device to avoid exposing their whole arsenal. Linear eMerge, Zyxel routers, and Neato vacuums are some of the most targeted devices, but there are many other routers, cameras, and access control systems being targeted. Ngioweb Background In August 2018, Check Point published a report and deep analysis on a new multifunctional proxy server botnet named Ngioweb. The proxy service was being loaded by the banking malware family Ramnit. In their report, Check Point reported that the first sample was observed in the second half of 2017. After the publication of that initial report, additional articles were released. Netlab wrote two blogs that took a deep-dive into the available Ngioweb samples, describing the domain generating algorithm (DGA), communication protocols, command and control (C&C) infrastructure, exploited CVEs for D-Link and Netgear devices, its updated features, and more. For details on the nature of Ngioweb, read Netlab’s blog which includes coverage that remains valid today.[t1] [PA2] Most recently, in 2024 TrendMicro reported how cybercriminals and nation states are leveraging residential proxy providers to perform malicious actions. For example, one of these nation-state actors, Pawn Storm, had been using a network of hundreds of small office and home office (SOHO) routers through January 2024, when the FBI neutralized part of the botnet. During TrendMicro’s investigation of several EdgeOS infected systems, they identified that in addition to Pawn Storm, the Canadian Pharmacy gang and a threat actor using Ngioweb malware were also abusing the infected device. Malware Analysis This last spring 2024, LevelBlue Labs identified scanning activity on vulnerable devices and those devices were carrying Ngioweb as the delivered payload. Depending on the targeted system, the exploit used a downloader for several CPU architectures or directly contained the specific payload for the targeted system. One of the samples obtained during 2024 (be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44) allowed LevelBlue Labs to determine that the Ngioweb trojan our researchers identified works very similarly to how Ngioweb worked in 2019, with only a few, slight modifications to Ngioweb’s original code added to elude detections or nosy security researchers. DGA domains Domain generation algorithms (DGA) aren’t new to Ngioweb (they have been identified as present in previous reports, specifically when Netlab sinkholed several domains). The Ngioweb sample LevelBlue Labs analyzed uses a very similar algorithm to those that have been identified in the past. The DGA selects domains from a pool of thousands, depending on the malware configurations, and it will then start trying to connect to all of them until it finds a resolving domain. However, in an attempt to avoid the first stage C&C being sinkholed by researchers, the threat actors using the sample LevelBlue Labs analyzed have included a sanity check. All active C&C communications carry a unique and encrypted TXT response that acts as a signature of its authenticity. This response carries |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $/u; $external $home &lodmhafqlgzmlmrk &sv=271a &v=x86 ‘min ‘pendo ‘piwik ‘request cve netlab observed there this /card 000 001: 002: 00| 01| 056 0|20 0|29| 0|3b 100 107 113 127 128 12; 139 154 173 2017 2018 2019 2020 2021 2022 2023 2024 20; 20|rv:59 20|win64|3b 20|x64|3b 216 236 24hours 253 286 28769 28770 28|windows 3306 360 3600 45440 500 50000 5172 53009eb13c9beacd2d3437d61a4ab262; 5984 605 7256 7256; 911 9306 above abusing accents access accessing accidental according acquire acting actions active actively activities activity activity; actor actors acts added adding addition additional additionally admin; advertised advertisement advisory affordable africa after agent agent; aiding alert algorithm algorithms all allowed allowing allows almost already also america among amount analysis analyzed and/or anonymity anonymize another any anywhere appearance application approximately architecture architectures are aren’t around arsenal article articles as: asia associated att&ck attack attacker attackers attempt attempts august australia/oceania authenticity authorized available avoid awareness background banking barely base64 based be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44 beacon been begins behind being below between biggest bitcoin black blacklists blocks blog blogs both botnet botnets business busybox but buyers bytes c&c cameras can can’t canada: canadian card carries carry carrying categories categorizes category cctv cdn ceased center/web challenging change changes characteristic’s characteristics characters check checkpoint checks choose city classen classtype:attempted classtype:trojan cleaners close closing cnc code com com/2018/ramnits com/an com/en com/files/155256/linear com/linux com/service combination combines comes coming command commands commercial common commonly communication communications company company’s compared competitors completely compromise comtrend con conceal concepts conclusion conducts configurations connect connected connection considerably considering contained content content: continued continues control controlled controls correspond corresponding could count countries court coverage cpu create created curl current customers cve cves cybercriminals daily data date day days dch deciphered decoder decodes dedicated deep def default defense defenses delivered delivering delivery deobfuscate/decode department depending depends deploy deployment depth:10; depth:26; depth:30; describing despite destination details detection detections deter determine developers device devices dga difference different differentiate directly directory disable discounts discovery disruption disruption: distribution dive dns does domain domains don’t doors doubled down download downloader dozens drive due during each earlier easier edgeos edu educational either elude emerge encoded encounter encrypted end endswith; enough environments establish established estimates etc europe evasion example exclusively execute executed execution executive exfiltrated expected exploit exploitable exploitation exploited exploiting exploits exponentially exposed exposing extensively fabian facing fact families family far fast fbi features figure file filename filenames filepath files finding findings finds firefox/59 first fixed flow:established flowbits:isset flowbits:noalert; flowbits:set followed following format forums found four from ftp gang garages gates gecko/20100101 generating generation get globally going gov gov/opa/pr/justice government grave grown h=awq9 had half hardware has hat have having heat high higher hijacking hikvision histogram historically home honeypots hosting hosting/transit hour household houses how however html html; http https://blog https://research https://www hundreds id=a39eb3ed78b7401f identified identifier identifies identify identifying impact impacted impactful impair inbound include include: included includes including india indicates indicators individual individua |
| Tags | Malware Vulnerability Threat Mobile Technical |
| Stories | APT 28 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.