2024-09-18 Lumen: Derailing the Raptor Train Black Lotus Labs

The Raptor Train botnet, discovered in 2023, is a large, multi-tiered network primarily composed of compromised SOHO routers, IP cameras, NAS servers, and NVR/DVR devices. The botnet's primary implant, named "Nosedive," is a customized variant of the Mirai malware, designed to infect various IoT architectures like MIPS, ARM, PowerPC, and others. Nosedive implants are delivered via multi-stage droppers using encoded URL schemes, making detection challenging. Once deployed, the malware operates entirely in-memory, allowing for file uploads, downloads, command execution, and DDoS attacks. This memory-resident nature, combined with anti-forensics techniques such as obfuscated processes and multi-stage infections, complicates detection and analysis.

The botnet operates across three tiers: Tier 1 devices (bots), Tier 2 C2 servers, and Tier 3 management nodes. Tier 1 devices are compromised using 0-day and n-day vulnerabilities, with a lifespan of about 17 days. Tier 2 C2 nodes facilitate communication between bots and are managed from Tier 3 nodes using a custom Electron-based tool called "Sparrow." Sparrow enables operators to control C2 servers, deploy payloads, manage bots, and conduct exploitation activities.