One Sock Fits All: The Use and Abuse of the NSOCKS Botnet
Summary:
The NSOCKS botnet, underpinned by the ngioweb malware, has emerged as a major player in the cybercrime ecosystem, driving criminal proxy services like VN5Socks and Shopsocks5. With over 35,000 daily active bots spanning 180 countries, it is one of the most extensive and persistent proxy infrastructures observed, with 60% of its bots based in the U.S. This botnet exploits small office/home office routers and IoT devices, leveraging n-day vulnerabilities to compromise older or poorly secured systems. These infected devices are repurposed for a range of malicious activities, including DDoS attacks, credential stuffing, phishing, malware obfuscation, and traffic proxying.
The NSOCKS infrastructure relies on a multi-layered setup to manage its operations. It begins with loader nodes that distribute the ngioweb malware via shell scripts designed to execute and delete themselves quickly, complicating detection. These nodes deliver updates and direct bots to secondary C2 domains created through a domain generation algorithm. The C2 nodes determine whether infected devices meet the requirements for inclusion in proxy networks. Selected devices are routed to "backconnect" C2s, which act as the interface for proxy service users. This intricate structure allows actors to anonymously route traffic through the botnet, obscuring their true identity. NSOCKS enables users to select proxies by geographic region or domain type, including high-value targets like .gov and .edu, facilitating targeted attacks. The proxy network’s weak authentication mechanisms allow both legitimate users and opportunistic threat actors to exploit the service, creating further vulnerabilities. DDoS attackers, for example, use the open proxies to amplify attacks, while other cybercriminals hijack the same infrastructure for reconnaissance, fraud, and spam campaigns. The botnet’s longevity and persistence are notable, with 40% of bots active for over 30 days, providing a stable base for sustained malicious operations.
Security Officer Comments:
The ngioweb malware itself shows sophisticated techniques for resilience and evasion. It uses DNS TXT records to validate DGA domains and prevent sinkholing, while its communications with C2 nodes rely on encrypted payloads to evade detection. These design features, coupled with its integration into proxy services like NSOCKS, make it a versatile tool for cybercriminals. Notably, criminal groups such as Muddled Libra and Pawn Storm have been linked to NSOCKS, cohabiting infected devices with other threat actors. This shared use underscores the interconnected nature of the cybercrime ecosystem. Beyond NSOCKS, ngioweb bots also support other proxy services like Shopsocks5, with significant overlap in infrastructure suggesting partnerships or coordinated operations. Historical data ties NSOCKS to earlier services like LuxSocks, demonstrating a sustained evolution of the botnet to meet changing demands. The infrastructure supports flexible use cases, from fraud and phishing to DDoS coordination, making it a critical enabler for diverse cybercrime activities.
Suggested Corrections:
IOCs:
https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/
Researchers at Lumen advise the following:
Corporate Network Defenders:
Consumers with SOHO routers:
https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/
The NSOCKS botnet, underpinned by the ngioweb malware, has emerged as a major player in the cybercrime ecosystem, driving criminal proxy services like VN5Socks and Shopsocks5. With over 35,000 daily active bots spanning 180 countries, it is one of the most extensive and persistent proxy infrastructures observed, with 60% of its bots based in the U.S. This botnet exploits small office/home office routers and IoT devices, leveraging n-day vulnerabilities to compromise older or poorly secured systems. These infected devices are repurposed for a range of malicious activities, including DDoS attacks, credential stuffing, phishing, malware obfuscation, and traffic proxying.
The NSOCKS infrastructure relies on a multi-layered setup to manage its operations. It begins with loader nodes that distribute the ngioweb malware via shell scripts designed to execute and delete themselves quickly, complicating detection. These nodes deliver updates and direct bots to secondary C2 domains created through a domain generation algorithm. The C2 nodes determine whether infected devices meet the requirements for inclusion in proxy networks. Selected devices are routed to "backconnect" C2s, which act as the interface for proxy service users. This intricate structure allows actors to anonymously route traffic through the botnet, obscuring their true identity. NSOCKS enables users to select proxies by geographic region or domain type, including high-value targets like .gov and .edu, facilitating targeted attacks. The proxy network’s weak authentication mechanisms allow both legitimate users and opportunistic threat actors to exploit the service, creating further vulnerabilities. DDoS attackers, for example, use the open proxies to amplify attacks, while other cybercriminals hijack the same infrastructure for reconnaissance, fraud, and spam campaigns. The botnet’s longevity and persistence are notable, with 40% of bots active for over 30 days, providing a stable base for sustained malicious operations.
Security Officer Comments:
The ngioweb malware itself shows sophisticated techniques for resilience and evasion. It uses DNS TXT records to validate DGA domains and prevent sinkholing, while its communications with C2 nodes rely on encrypted payloads to evade detection. These design features, coupled with its integration into proxy services like NSOCKS, make it a versatile tool for cybercriminals. Notably, criminal groups such as Muddled Libra and Pawn Storm have been linked to NSOCKS, cohabiting infected devices with other threat actors. This shared use underscores the interconnected nature of the cybercrime ecosystem. Beyond NSOCKS, ngioweb bots also support other proxy services like Shopsocks5, with significant overlap in infrastructure suggesting partnerships or coordinated operations. Historical data ties NSOCKS to earlier services like LuxSocks, demonstrating a sustained evolution of the botnet to meet changing demands. The infrastructure supports flexible use cases, from fraud and phishing to DDoS coordination, making it a critical enabler for diverse cybercrime activities.
Suggested Corrections:
IOCs:
https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/
Researchers at Lumen advise the following:
Corporate Network Defenders:
- Continue to look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking.
- Protect cloud assets from communicating with bots that are attempting to perform password spraying attacks and begin blocking IoCs with web application firewalls.
- Updating and blocking IP addresses belonging to known open proxies.
Consumers with SOHO routers:
- Users should follow best practices of regularly rebooting routers and installing security updates and patches. For guidance on how to perform these actions, please see the “best practices” document prepared by Canadian Centre for Cybersecurity.
- For Organizations that manage SOHO routers: make sure devices do not rely upon common default passwords. They should also ensure that the management interfaces are properly secured and not accessible via the internet. For more information on securing management interfaces, please see DHS’ CISA BoD 23-02 on securing networking equipment.
- Lumen also recommends replacing devices once they reach their manufacturer end of life and are no longer supported.
https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/