Back

Derailing the Raptor Train

Sept. 20, 2024, 12:18 p.m.

Tags

ddos
iot
botnet
2024-09-20
raptor train

External References

https://blog.lumen.com/

https://otx.alienvault.com/

Description

A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated control system called Sparrow to manage its infrastructure and execute various tasks. While no DDoS attacks have been observed, the botnet has targeted U.S. and Taiwanese entities in sectors like military, government, education, and telecommunications. The network architecture includes three tiers: compromised devices, exploitation and C2 servers, and management nodes. Campaigns have evolved over four years, showing increasing sophistication in tactics and scale.

Date

Published Created Modified
Sept. 20, 2024, 11:41 a.m. Sept. 20, 2024, 11:41 a.m. Sept. 20, 2024, 12:18 p.m.

Indicators

c6fe1748e68923f278926ee8679aaee22800b9c93c38641d12ea0e945e116bb0

546390a3a296154e36051dda745b573658311f9831789bb1faca411a3803a9bb

2aa12e5989065951be84ce932b65bd197dd6be3fa987838bad48536c0c74d145

92.38.185.47

92.38.185.46

92.38.185.44

92.38.185.43

92.38.176.156

92.38.176.131

92.38.135.146

92.223.30.241

92.223.30.233

92.223.30.232

91.216.190.80

91.216.190.74

91.216.190.247

91.216.190.2

91.216.190.154

89.44.198.254

89.44.198.195

89.44.198.200

85.90.216.69

85.90.216.115

85.90.216.116

85.90.216.112

78.141.238.97

5.45.184.68

85.90.216.111

5.181.27.6

5.181.27.219

5.188.33.135

5.181.27.19

45.80.215.47

5.181.27.21

45.80.215.156

45.80.215.155

45.80.215.186

45.80.215.154

45.80.215.152

45.80.215.151

45.80.215.150

45.77.231.209

45.135.117.136

45.135.117.131

45.13.199.96

45.13.199.84

45.13.199.140

45.13.199.207

45.10.58.132

45.10.58.130

45.10.58.128

45.10.58.129

37.9.35.89

37.61.229.17

37.61.229.15

23.236.68.229

23.236.68.193

23.236.68.213

223.98.159.112

210.61.186.117

207.148.68.131

207.148.122.69

202.182.109.151

195.234.62.198

195.234.62.192

195.234.62.197

195.234.62.19

195.234.62.188

195.234.62.184

195.234.62.18

185.14.45.160

155.138.151.225

155.138.133.56

149.248.51.22

14.1.98.223

139.180.137.219

114.255.70.30

114.255.70.20

104.244.89.157

92.38.185.45

92.38.178.232

85.90.216.110

65.20.97.251

5.188.33.228

45.80.215.149

45.13.199.45

45.13.199.152

45.13.199.104

45.10.58.133

23.236.69.82

23.236.69.110

23.236.68.161

185.207.154.253

45.92.70.71

45.92.70.68

45.92.70.115

45.92.70.113

45.92.70.112

45.92.70.111

Attack Patterns

Nosedive

Flax Typhoon

T1588

T1587

T1572

T1571

T1095

T1573

T1105

T1104

T1071

T1498

T1499

T1132

T1584

T1190

T1133

T1090

CVE-2024-21887

Additional Informations

Technology

Defense

Education

Telecommunications

Government

Taiwan

Kazakhstan

United States of America