One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8606510 |
| Date de publication | 2024-11-05 15:34:41 (vue: 2024-11-05 16:11:19) |
| Titre | Ngioweb Remains Active 7 Years Later |
| Texte | ## Snapshot LevelBlue Labs researchers report that the Ngioweb multifunctional proxy server botnet continues to operate with minimal changes to its original code. Threat actors use Ngioweb to scan for and infect vulnerable devices, including Linear eMerge systems, Zyxel routers, Neato vacuums, and other Internet of Things (IoT) devices, turning them into residential proxies. ## Description These proxies are sold on the black market through Nsocks, which offers access to over 30,000 IPs globally. Most victims are residential ISP users, with infections predominantly occurring in the United States, United Kingdom, Canada, Japan, and India. The botnet employs a domain generation algorithm (DGA) for command-and-control (C2) communication, with a unique encrypted TXT response to verify authenticity. Once a device is compromised, it reports to the C2 server and starts functioning as a proxy server without the victim knowing. Nsocks, which accepts Bitcoin or Litecoin, categorizes infected systems based on the type of organization or the IP type, with a higher percentage on ISP category types for individual residential users, followed by Data Center/Web Hosting/Transit (DCH). The malware has evolved to exploit a range of vulnerabilities and zero-days, with dedicated scanners for each vulnerability or device type to minimize detection. For example, [CVE-2019-7256](https://security.microsoft.com/intel-explorer/cves/CVE-2019-7256/) was exploited to gain access to Linear\'s eMerge E3-Series products. LevelBlue Labs reports that the botnet has grown from 3,000 daily IPs in 2020 to almost 30,000 IPs in 2024, a significant increase in the scale of this threat. ## Microsoft Analysis and Additional OSINT Context The Ngioweb botnet, first identified by Check Point researchers [in August 2018](https://research.checkpoint.com/2018/ramnits-network-proxy-servers/), initially surfaced as a Windows variant connected to the well-known banking malware Ramnit, also known as "Black." Check Point noted that Ramnit served as a loader for Ngioweb, enabling its deployment. The malware was named after the hardcoded domain "ngioweb\[.\]su," found in its configuration. This early version signaled Ngioweb\'s alignment with malicious banking activities and underscored the threat it posed to Windows systems. The botnet\'s evolution continued when, [in May 2019](https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/), Netlab discovered a Linux variant of Ngioweb through a suspicious ELF file. This version shared substantial code with the Windows variant but introduced a DGA for added resilience. Netlab continued tracking Ngioweb\'s progression, identifying a second version [in August 2020](https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/) that incorporated AES encryption for its configuration and adjustments to its DGA, making detection more difficult. [In 2024](https://www.trendmicro.com/en_us/research/24/e/router-roulette.html), TrendMicro researchers identified EdgeRouters infected with Ngioweb, and LevelBlue Labs examined its configuration changes. These recent developments included added destination path variations for C2 communications, such as "request.js," "piwik.js," and "pendo.js," likely to evade detection measures based on known filenames, further cementing Ngioweb\'s adaptability and continued evolution as a botnet threat. ## Recommendations **Microsoft recommends the following mitigations to reduce the impact of botnets.** - [Restrict automatic prompts](https://support.microsoft.com/en-us/windows/automatic-file-download-notifications-in-windows-dc73c9c9-1b4c-a8b7-8d8b-b471736bb5a0) for non-user-initiated file downloads. - [Enable Safe Links](https://learn.microsoft.com/en-us/powershell/module/exchange/enable-safelinksrule?view=exchange-ps) protection for links in email messages. - [Enable Safe Attachments](https://learn.microsoft.com/en-us/powershell/module/exchange/set-safeattachmentrule?view=exchange-ps) in block mode. - Enable [Ze |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© **microsoft 000 1b4c 2018 2019 2020 2024 2024** 360 365 365/security/defender 365/zero 7256 7256/ 8d8b ;in a8b7 about accepts access accessed acquired active activities actors adaptability added additional adjustments aes after algorithm alignment all almost already also always analysis android antivirus any applicable applications apps apps disabled are artifacts as att attachments august authenticity auto automatic b471736bb5a0 banking based been being bitcoin black block blog botnet botnets but campaigns can canada capabilities/ categorizes category cementing center/web changes check checkpoint code com/2018/ramnits com/an com/blogs/labs com/en com/intel com/linux com/microsoft command communication communications compromised configuration connected consider content context continued continues control copyright cve cybercriminals daily data days dc73c9c9 dch dedicated defender delivered deployment description destination detect detection detections/hunting detects developments device devices dga difficult discovered distribution does domain download downloads each early edgerouters edr elf email emerge employs en/ enable enabling encrypted encryption encyclopedia endpoint endpoint/edr endpoint/microsoft environment evade evaluate even evolution evolved examined example exploit exploited explorer/cves/cve families file filenames first followed following found from functioning further gain generation generic globally going grown hardcoded has have higher hosting/transit hour html https://blog https://cybersecurity https://learn https://research https://security https://support https://www human identified identifying impact included including incorporated increase india individual infect infected infections information initially initiated install installed intelligence internet introduced iot iot/organizations/overview ips isp its japan keep install kingdom knowing known labs later levelblue likely linear links linux litecoin loader longer mail mailboxes making malicious malware market may measures messages microsoft microsoftdefender minimal minimize mitigations mobile mode more most multifunctional multiverze name=trojan:linux/multiverze name=trojan:linux/ngioweb named nation neato netlab network networks neutralize new newly ngioweb non not noted notifications now nsocks occurring offers office official once only operate operated organization original osint other outer over part passive path pendo percentage permission phishing piwik point posed post predominantly prevent products progression prohibited prompts protect protection proxies proxy purge quarantine queries quick ramnit range read receiving recent recommendations recommends reduce references remains replacing report reports reproduction request research research/ngioweb researchers reserved residential resilience response restrict retroactively rfn rights roulette roulette: routers run running safe safeattachmentrule safelinksrule scale scan scanners second sent series served server servers servers/ services shared sharing signaled significant site snapshot sold solutions sources spam specific starts states stores strongly substantial such surfaced suspicious systems that the them thereof these things threat through tracking trendmicro trojan trojan:linux/multiverze trojan:linux/ngioweb trusted turning txt type types uncovers underscored unique united unknown update updates us/azure/defender us/defender us/powershell/module/exchange/enable us/powershell/module/exchange/set us/research/24/e/router us/security/blog/2022/12/21/microsoft us/wdsi/threats/malware us/windows/automatic use user users vacuums variant variations various verify version victim victims view=exchange view=o365 vulnerabilities vulnerability vulnerable well when whether which windows without worldwide written years your zap zero zerobot zyxel for |
| Tags | Spam Malware Vulnerability Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.