For over seven years, the Ngioweb proxy botnet has been searching for vulnerable devices and websites, infecting them with malware, and reselling the traffic to other scammers. The cost of access to infected IP addresses starts at $0.20 per day.
Contents
1. WordPress attacks in 2019
2. Smart vacuum cleaners are in danger
3. Black Market Web Traffic by Ngioweb
Attackers compromised WordPress sites using disguised web shells and Linux malware. Ngioweb is a proxy agent.
Experts registered one of the DGA C2 domain names (enutofish–pronadimoful–multihitision[.]org) to analyze the traffic generated by these bots. As it turned out, the attackers combined several bots into a proxy pool and controlled them using the two-tier C2 protocol, and then provided proxy switching services. When hacking the C2 domain, experts found connections to 2,692 compromised WordPress sites, most of which were located in the United States.
Sales of Neato vacuum cleaners ceased in May 2023, but there are still 128,000 Neato devices connected to the internet. About 35,000 of them are in the US, and 15,000 are in India. Ngioweb-infected IoT devices are mostly located on Indian IP addresses.
Nsocks sold access to SOCKS5 proxy servers around the world, allowing buyers to select them by location (state/region, city, or zip code), provider, speed, and type of infected device. Prices range from $0.20 to $1.50 for daily access, depending on the type of device and the time since infection.
The attackers even offer discounts if the IP address has been added to public blacklists. To avoid revealing themselves and those who use the web traffic black market, the attackers only accept payments in Bitcoin or Litecoin.
In 2022, Nsocks posted their first ad on the Black Hat forums, stating that their botnet was 14,000 systems in size. Since 2022, that number has more than doubled, and there are now nearly 30,000 different IP addresses in the pool. That means Ngioweb has grown 10-fold in just four years.
The distribution of infected devices by country is as follows:
Among the Nsocks infected systems are the following groups of victims:
24/7 proxy access to infected Ngioweb systems is now sold for pennies, allowing other attackers to anonymously carry out their malicious attacks on the network.
Victims may not be aware that their devices and IP addresses can be used to generate fraudulent traffic, DDoS attacks, and other malicious activities. Therefore, it is important to install protection systems on all your devices and update them in a timely manner.
Contents
1. WordPress attacks in 2019
2. Smart vacuum cleaners are in danger
3. Black Market Web Traffic by Ngioweb
WordPress attacks in 2019
Researchers from Netlab in 2019 found that the proxy service Free-Socks.in used a large-scale botnet of hacked sites on the CMS WordPress. According to experts, the traffic sent by the proxy service passed through a network of hacked sites on WP.Attackers compromised WordPress sites using disguised web shells and Linux malware. Ngioweb is a proxy agent.
Experts registered one of the DGA C2 domain names (enutofish–pronadimoful–multihitision[.]org) to analyze the traffic generated by these bots. As it turned out, the attackers combined several bots into a proxy pool and controlled them using the two-tier C2 protocol, and then provided proxy switching services. When hacking the C2 domain, experts found connections to 2,692 compromised WordPress sites, most of which were located in the United States.
Smart vacuum cleaners are in danger
Among the most attacked are Zyxel routers, Linear eMerge devices and Neato robot vacuum cleaners.Sales of Neato vacuum cleaners ceased in May 2023, but there are still 128,000 Neato devices connected to the internet. About 35,000 of them are in the US, and 15,000 are in India. Ngioweb-infected IoT devices are mostly located on Indian IP addresses.
Black Market Web Traffic by Ngioweb
In 2022, LevelBlue Labs identified systems infected with the Ngioweb Trojan that were sold as local proxy servers on the Nsock page.Nsocks sold access to SOCKS5 proxy servers around the world, allowing buyers to select them by location (state/region, city, or zip code), provider, speed, and type of infected device. Prices range from $0.20 to $1.50 for daily access, depending on the type of device and the time since infection.
The attackers even offer discounts if the IP address has been added to public blacklists. To avoid revealing themselves and those who use the web traffic black market, the attackers only accept payments in Bitcoin or Litecoin.
In 2022, Nsocks posted their first ad on the Black Hat forums, stating that their botnet was 14,000 systems in size. Since 2022, that number has more than doubled, and there are now nearly 30,000 different IP addresses in the pool. That means Ngioweb has grown 10-fold in just four years.
The distribution of infected devices by country is as follows:
- USA: >13k proxies
- UK: >4k proxies
- Canada: >2 thousand proxies
- Japan: 605 proxies
Among the Nsocks infected systems are the following groups of victims:
- Organizations (ORG)
- Government (GOV)
- CDN (CDN)
- Education (EDU)
- Business (COM)
- Data Centers/Hostings (DCH)
- Providers (ISP): private users connected to home Internet (75% of the botnet consists of this category of devices)
- Mobile Providers (MOB)
24/7 proxy access to infected Ngioweb systems is now sold for pennies, allowing other attackers to anonymously carry out their malicious attacks on the network.
Victims may not be aware that their devices and IP addresses can be used to generate fraudulent traffic, DDoS attacks, and other malicious activities. Therefore, it is important to install protection systems on all your devices and update them in a timely manner.
