Today > vulnerabilities   -   You can now download lists of IOCs here!

One Sock Fits All: The use and abuse of the NSOCKS botnet

Nov. 20, 2024, 9:32 a.m.

Tags
ddos
botnet
cybercrime
ngioweb
2024-11-19
nsocks
proxy service
soho routers
shopsocks5
iot devices
vn5socks
External References
Description

The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obscure users' identities. The infrastructure enables various threat actors to create their own services and launch DDoS attacks. The botnet employs multiple exploits, targeting vulnerable devices and evading common security solutions. NSOCKS is notorious among criminal forums and has been used by groups like Muddled Libra. The service allows users to purchase proxies with cryptocurrency, offering features such as domain filtering for targeted use. The open nature of NSOCKS has led to its abuse by other actors, including DDoS attackers and other proxy services like Shopsocks5 and VN5Socks.

Date

Published: Nov. 19, 2024, 9:59 p.m.

Created: Nov. 19, 2024, 9:59 p.m.

Modified: Nov. 20, 2024, 9:32 a.m.

Indicators

91.227.77.217

85.206.172.132

66.29.129.56

66.29.129.54

66.29.129.53

66.29.129.52

66.29.128.246

66.29.128.245

66.29.128.244

66.29.128.242

66.29.128.243

5.181.86.231

66.29.128.241

45.61.141.192

38.91.107.224

38.91.107.229

45.227.252.245

38.91.107.220

38.91.107.2

38.91.106.252

38.91.106.214

37.122.148.5

216.107.139.52

213.252.244.213

207.189.164.106

185.25.50.100

179.60.147.86

173.211.70.205

172.86.96.114

167.88.168.2

167.88.166.112

162.0.220.220

162.0.220.219

162.0.220.217

162.0.220.218

162.0.220.215

162.0.220.216

162.0.220.214

162.0.220.161

154.7.253.113

144.172.86.16

144.172.76.24

144.172.122.12

144.172.111.24

141.98.82.229

103.172.92.148

overuvezor.com

overedaxive-nonameraness.net

inofokable.net

dnslookips.com

antigutation.info

underuvukent.com

subonuker.name

ultradomafy.net

minixetepate.biz

promexucate.com

interocakate.com

emelenalike.com

antihicipate.com

Download all indicators here!

Attack Patterns

ngioweb

T1568

T1199

T1573

T1071

T1102

T1046

T1498

T1499

T1584

T1190

T1133

T1090

T1078

Additional Informations

United States of America