Pages

Wednesday, September 18, 2024

2024-08-18 RAPTOR TRAIN NOSEDIVE - Mirai-type IoT Botnet Samples

 2024-09-18 Lumen: Derailing the Raptor Train Black Lotus Labs

The Raptor Train botnet, discovered in 2023, is a large, multi-tiered network primarily composed of compromised SOHO routers, IP cameras, NAS servers, and NVR/DVR devices. The botnet's primary implant, named "Nosedive," is a customized variant of the Mirai malware, designed to infect various IoT architectures like MIPS, ARM, PowerPC, and others. Nosedive implants are delivered via multi-stage droppers using encoded URL schemes, making detection challenging. Once deployed, the malware operates entirely in-memory, allowing for file uploads, downloads, command execution, and DDoS attacks. This memory-resident nature, combined with anti-forensics techniques such as obfuscated processes and multi-stage infections, complicates detection and analysis.

The botnet operates across three tiers: Tier 1 devices (bots), Tier 2 C2 servers, and Tier 3 management nodes. Tier 1 devices are compromised using 0-day and n-day vulnerabilities, with a lifespan of about 17 days. Tier 2 C2 nodes facilitate communication between bots and are managed from Tier 3 nodes using a custom Electron-based tool called "Sparrow." Sparrow enables operators to control C2 servers, deploy payloads, manage bots, and conduct exploitation activities.


Download
File Information
  • ├── 2022 Finch NOSEDIVE
  • │   ├── a8ca358dcd9c16eaf33d1ca583dd0f95d18ef6ce29595df55e25d09b0fca64ac elf_
  • │   └── ba2c26e641a34b1683add59e7481a22934d62ca9814e4ee0f1c71766f37dfd6d elf_
  • ├── 2023 NOSEDIVE
  • │   ├── 9119babb36c94a47b5034a76fc4d56b927eae9511c86bcc7c02a4afe3fe1c0f8 elf_
  • │   ├── fcfac7831cbe120b6cf6792c3527135d84b0b97ed78fe773833f5b5f26d7a0d9 elf_
  • │   └── fe088f3553e09f62cc89f40d931be1b29491607c8f813ab17a7d664443a8e244 elf_
  • └── 2024 NOSEDIVE (2024 Yara matches for NOSEDIVE)
  •     ├── 88e0e0be0805fa3fb5ac0a4e29a3c7a206a63b20eaa8661a1a865061601b7f3f elf_
  •     ├── 9591b845695d8fc5d99aaf8571c21d5526ab2777c64c2c6fa5ae5d491e592fc8 elf_
  •     ├── b0355fe61ae232620d8f446ab8487b9b74307ff956f4e5222fc5dded53fea765 elf_
  •     └── f23b9b9f09b4875f2c2f78cf50222c309cc312b0bdb01c0d3a6056bcea8eaec5 elf_
Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

No comments:

Post a Comment