The Ngioweb malware has been identified as the driving force behind the NSOCKS residential proxy service, along with other services like VN5Socks and Shopsocks5, according to recent discoveries by Lumen Technologies.
Black Lotus Labs team at Lumen Technologies stated in a report shared with The Hacker News that “At least 80% of NSOCKS bots in our telemetry come from the Ngioweb botnet, primarily using small office/home office (SOHO) routers and IoT devices.”
“The network maintains an average of about 35,000 operational bots daily, with 40% remaining active for a month or longer,” they added.
Ngioweb, which was first identified by Check Point in August 2018 in relation to a Ramnit trojan campaign, has been the focus of recent analyses by LevelBlue and Trend Micro, the latter of which has linked it to a financially motivated threat actor known as Water Barghest.
Ngioweb is capable of targeting devices running both Microsoft Windows and Linux, deriving its name from the C2 domain “ngioweb[.]su” registered in 2018.
Trend Micro reported that the botnet consists of over 20,000 IoT devices as of October 2024, with Water Barghest using it to locate and infiltrate vulnerable IoT devices and deploy the Ngioweb malware to register them as proxies for sale on a residential proxy marketplace.
Researchers Feike Hacquebord and Fernando Mercês highlighted that the process of monetization from initial infection to the availability of the device as a proxy on the marketplace can be completed in as little as 10 minutes, showcasing a highly efficient and automated operation.
The malware exploits vulnerabilities and zero-days to breach routers and IoT devices, using a two-tiered architecture involving loader networks and loader-C2 nodes to distribute the Ngioweb malware.
A breakdown of proxies by device type reveals that the botnet operators have targeted devices from various vendors such as NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO.
Recent findings from LevelBlue and Lumen indicate that Ngioweb-infected systems are being sold as residential proxy servers for NSOCKS, previously used in credential-stuffing attacks targeting Okta.
“NSOCKS offers SOCKS5 proxies globally, allowing users to select them by location, ISP, speed, device type, and freshness,” LevelBlue explained. “Prices range from $0.20 to $1.50 for 24-hour access, depending on device type and time since infection.”
Victim devices establish connections with DGA-generated C2 domains to determine eligibility for the proxy network, with successful devices connected to backconnect C2 nodes for use through the NSOCKS service.
Lumen Technologies has taken measures to block traffic to/from infrastructure associated with the Ngioweb botnet to disrupt its activities, as open proxies powered by NSOCKS have been used for large-scale DDoS attacks.
The demand for residential proxy services in both commercial and underground markets is expected to increase, driven by APT groups and cybercriminal organizations seeking to deploy malicious tools while concealing their identities.
“NSOCKS allows users to route traffic through over 180 ‘backconnect’ C2 nodes to hide their identities,” Lumen highlighted. “This not only enables malicious actors to expand their activities worldwide but also facilitates targeted attacks on specific entities like .gov or .edu domains.”
