Cybersecurity researchers from Lumen’s Black Lotus Labs discovered a new botnet, named Raptor Train, composed of small office\/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group Flax Typhoon<\/a> (also called Ethereal Panda<\/a> or RedJuliett). <\/p>\n\n\n\n
“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform\u00a0Electron<\/a>\u00a0application front-end that the actors have dubbed \u201cSparrow.\u201d This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time.” reads the report<\/strong><\/a> published by Lumen. “This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale.”<\/em><\/p>\n\n\n\n
The three-tiered architecture consists of the following levels:<\/p>\n\n\n\n
The Raptor Train botnet operates as a multi-tiered, evolving network with at least three levels of activity observed over four years. Tier 3 “Sparrow” nodes initiate bot tasks, which are routed through Tier 2 command and control (C2) servers to Tier 1 bots. Tier 1, the largest level, is composed of compromised devices with a short lifecycle, averaging 17 days. Tiers 2 and 3 use Virtual Private Servers (VPSs), lasting around 77 days, with Tier 3 primarily based in Hong Kong and China. Tier 2 servers are distributed globally, managing the control and exploitation capabilities of the bot.<\/p>\n\n\n\n