Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices

Nov. 18, 2024, 4:38 p.m.

Description

Water Barghest, a cybercriminal group, has developed a highly automated system for exploiting and monetizing IoT devices. Their botnet, comprising over 20,000 devices as of October 2024, uses automated scripts to identify and compromise vulnerable IoT devices from public internet scan databases. Once compromised, the Ngioweb malware is deployed, running in memory and connecting to command-and-control servers. The entire process, from initial infection to listing the device on a residential proxy marketplace, can take as little as 10 minutes. Water Barghest targets various IoT devices from brands like Cisco, DrayTek, and Zyxel, using both n-day vulnerabilities and at least one zero-day exploit. Their sophisticated operation has allowed them to maintain a low profile while generating steady income through their cybercriminal activities.

External References

https://www.trendmicro.com/en_us/research/24/k/water-barghest.html
https://otx.alienvault.com/pulse/673b4d74f0567c0115bd2c97
Tags
iot
botnet
proxy
vulnerability exploitation
ngioweb
2024-11-18
residential proxy marketplace

Date

  • Created: Nov. 18, 2024, 2:21 p.m.
  • Published: Nov. 18, 2024, 2:21 p.m.
  • Modified: Nov. 18, 2024, 4:38 p.m.

Indicators

  • f95342caa61e77174fe7653eea60909b9db0102c27a0641e25cdc053689110ab
  • f6d70464165e00de26127464a84919f20521aa4efbecfae41e75688f74436489
  • eddd909b49f2fef023a7b6188b2ae70bbf1e25e85f5e4c84c19cc25641f17175
  • e3344c598a984dc5dc8dc1d971da8dd9b7058c48288dc5ad063548fff61543a1
  • e2423e93b84284890a27e3796491049a22f6496b3830e20e808dff1c77560e3d
  • e0cdaaba90f061d31cfe0211fe207cb3971970a141d9d72f95c8a55c8d565cb1
  • c267e0bf3f1a0448e66427d5863d762af7cd6cc7ff812e6addcd4e54d9a46ac9
  • bfab45d715e0e090ea18849661ed3ed58bdd7310c54c4a14a607eee4cc742e33
  • be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44
  • b9360f1434ce7ff45b3ca49ff7269293188a339747b03bcd395b71b1d179700f
  • b8385ce60ca6c69b7ea67fa93c7d5908809658e7d8a4fb9e003890b820979f53
  • a8f7eaf999eb6cc8461f785fad13da30315da80b534cae047c5811bbea3351e3
  • a8497257d78ea15088e0b9c68319a2c0ae8c651ed36780e9424effe97f440c0c
  • a79ff2cd7f47b11d9176c40f0e82ba9b378c463ff9dd6e3e907df9480c7a1547
  • a3317844f3d6b5b2440be896b84fd6aa4ee77a0f9b656b784b235e077b69715d
  • 9fead901a3012825841cb6091f52e0a914944fbb1460c3ddb9d07213fbb7e30e
  • 9fda16ad1d32f34c221d0e074a4ef13217eded63b5ff507452c4e2bbb57df3a4
  • 9fb33a16762dce934e7a48946e396ad672ab16d42a060021238f2ddf6a9f0514
  • 9f1fcfb2fcc66f4e534d3348b8d01eef0be1b153bc022ae7601ed3a0817aae88
  • 9cb6c49173e4cb5a0b3c2f6d69a5bdc0bc67138329f00afaf38d678f2c0e00a6
  • 97cadc2eba1eaa7a4115ea7cc82a6955bc69d8e2913b0b46f493f9cc84ec07de
  • 892eb161254733cf5923313544e923fface375c27b3dcf8f66e79da84c93cf65
  • 869965781d96a06741c2a28c54bb8e3233bc10fcb92455e6cb9ab0c9fc2c54d4
  • 83cf89428e07a1a10b22958dca25f50a8a151bccfa01ee9bcce870303a4f9861
  • 7bddb716c233211fa7332586e7d3e859814ec508108fa1024c4fb99aab843cdf
  • 78a1b5bea50034e7a03e6ed5c0f4f80f1fbc770555891a73790e1b59a2fba608
  • 74f4d77bf367063bccece2fb3796e6bd7a1f51528f58ed3f1450b7de6c29b5f4
  • 743f7c495048d8983bbedc3d52ea00c914fe008b06ef01c1be2a78cd5c1375f3
  • 710e0317de732f1bce32ed96d33468cb2b55e513106393b11bf7800081f1e681
  • 6a3288b1d326290778544769ea7c1ed80af763ea47fee5131afef209a0e2d301
  • 600c56a175f3661f434d1fe3418fb4cca96cdf6f880bd74a389e0d16d85ca501
  • 5d89b09dfb7c09a3a42345a136293b469a71ef7a1f599102ad67c09dc4fc53bf
  • 56657300f250fa9df77d6bc393bfc01d585d00bfb5302bf34314368fb13cbe26
  • 5353228926aa96b546b33de4418f15e347441d16d292f4946beca6a0d314e635
  • 4e8a36f467f1dab1b4768f67efd3712562699603839e38d93525c90989a4cf26
  • 4af537b29c54f976801ee7688c4db78d4b4e7b9947769226afc108e4645cf20f
  • 35f95fbb1b439a89cbd6e825188fb64fde44aef9829d549b4f547850552e095c
  • 2e940e3bd88226cfbbfb7a2eefbdd675173fd2950847a9131e11c1682353e286
  • 2bf2c10332f1d31e1b87e62ca2d7afc70f073c55474d7f03ff6c37caec28df4a
  • 1fe1cece08fef19448a32a746f5c8f77521db757c2b345103834a5f617101f15
  • 1748978997d9630c568f6c06ff0767ed8b0cfbf5c93612daf600adefecfba2e1
  • 129693d8c474a8de8f91e1d16e0129732aba20bea9ac24e7c68b345b7b05ad6f
  • 05cd00f975bd2522d943e836ef5a1cb00806c6d684987274da850be348b2b1f4
  • db1f96b20679f9fb9cbd96b242ab8530102c0105b64c83c3ae544f87594a6fa9
  • c91795b59248562e44d6c07526c7ab89dfe45344293703a94a3ae5ff02eab5a4
  • remalexation.name
  • recepatission.info
  • prekudinish.com
  • prenurevaty.info
  • monobimefist.com
  • misukumotist.info
  • inoluvary.com
  • exagenafy.com
  • enidecikive.net
  • disimunous.com
  • antigutation.info
  • underuvukent.com
  • subonuker.name
  • ultradomafy.net
  • semiridinution-postepudency.com
  • minixetepate.biz
  • promexucate.com
  • macrofocafify.org
  • interocakate.com
  • emelenalike.com
  • antihicipate.com
Download all indicators here!

Attack Patterns

  • ngioweb
  • Water Barghest
  • T1571
  • T1497
  • T1070
  • T1205
  • T1132
  • T1027
  • T1584
  • T1562
  • T1190
  • T1133