September 18, 2024 at 01:01PM
Cybersecurity researchers uncover Raptor Train botnet operated by Chinese state threat actor Flax Typhoon. Consisting of compromised SOHO & IoT devices, it’s one of the largest Chinese IoT botnets, targeting devices from multiple manufacturers. Raptor Train has been linked to multiple campaigns and has been used for potential exploitation attempts against various entities.
The meeting notes report on the discovery of a new botnet called Raptor Train, believed to be operated by a Chinese nation-state threat actor known as Flax Typhoon. The botnet comprises small office/home office (SOHO) and IoT devices, with the infrastructure organized into a three-tiered architecture and a sophisticated management system called Sparrow.
The Raptor Train botnet has targeted a wide range of devices from various manufacturers and has a significant footprint in countries such as the US, Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. The botnet has demonstrated the ability to reinfect devices and maintain persistence without a reboot. It uses an in-memory implant called Nosedive, a variant of the Mirai botnet, which can execute commands, upload and download files, and launch DDoS attacks.
The botnet has been associated with multiple campaigns, each distinguished by the root domains used and the targeted devices. Notably, the Canary campaign used a multi-layered infection chain and became prominent in domain rankings, making it difficult to detect and circumventing security tools.
While no DDoS attacks have been detected yet, evidence shows that the botnet has been weaponized to target entities in military, government, higher education, telecommunications, defense, and IT sectors. Additionally, there have been exploitation attempts against specific servers and appliances in these sectors, indicating widespread scanning efforts.
The report also links the Raptor Train botnet to Flax Typhoon based on victimology footprint, Chinese language use, and other tactical similarities. The botnet is described as an enterprise-grade control system that can manage C2 servers and their infected nodes, enabling a range of activities including scalable exploitation, vulnerability management, remote command execution, and the ability to launch IoT-based DDoS attacks at scale.
Please let me know if you need any further information or if there are specific action items to be extracted from these meeting notes.