One Sock Fits All: The use and abuse of the NSOCKS botnet

Nov. 20, 2024, 9:32 a.m.

Description

The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obscure users' identities. The infrastructure enables various threat actors to create their own services and launch DDoS attacks. The botnet employs multiple exploits, targeting vulnerable devices and evading common security solutions. NSOCKS is notorious among criminal forums and has been used by groups like Muddled Libra. The service allows users to purchase proxies with cryptocurrency, offering features such as domain filtering for targeted use. The open nature of NSOCKS has led to its abuse by other actors, including DDoS attackers and other proxy services like Shopsocks5 and VN5Socks.

Date

  • Created: Nov. 19, 2024, 9:59 p.m.
  • Published: Nov. 19, 2024, 9:59 p.m.
  • Modified: Nov. 20, 2024, 9:32 a.m.

Indicators

  • 91.227.77.217
  • 85.206.172.132
  • 66.29.129.56
  • 66.29.129.54
  • 66.29.129.53
  • 66.29.129.52
  • 66.29.128.246
  • 66.29.128.245
  • 66.29.128.244
  • 66.29.128.242
  • 66.29.128.243
  • 5.181.86.231
  • 66.29.128.241
  • 45.61.141.192
  • 38.91.107.224
  • 38.91.107.229
  • 45.227.252.245
  • 38.91.107.220
  • 38.91.107.2
  • 38.91.106.252
  • 38.91.106.214
  • 37.122.148.5
  • 216.107.139.52
  • 213.252.244.213
  • 207.189.164.106
  • 185.25.50.100
  • 179.60.147.86
  • 173.211.70.205
  • 172.86.96.114
  • 167.88.168.2
  • 167.88.166.112
  • 162.0.220.220
  • 162.0.220.219
  • 162.0.220.217
  • 162.0.220.218
  • 162.0.220.215
  • 162.0.220.216
  • 162.0.220.214
  • 162.0.220.161
  • 154.7.253.113
  • 144.172.86.16
  • 144.172.76.24
  • 144.172.122.12
  • 144.172.111.24
  • 141.98.82.229
  • 103.172.92.148
  • overuvezor.com
  • overedaxive-nonameraness.net
  • inofokable.net
  • dnslookips.com
  • antigutation.info
  • underuvukent.com
  • subonuker.name
  • ultradomafy.net
  • minixetepate.biz
  • promexucate.com
  • interocakate.com
  • emelenalike.com
  • antihicipate.com

Attack Patterns

Additional Informations

  • United States of America