A sophisticated threat actor, dubbed Water Barghest, has been exploiting vulnerabilities in Internet-of-Things (IoT) devices to create a botnet of over 20,000 compromised systems. The infected devices are being monetized as residential proxies, according to a new report by Trend Micro.
Water Barghest targets devices from well-known manufacturers such as Cisco, DrayTek, Fritz!Box, Linksys, Netgear, Synology, Tenda, Western Digital, and Zyxel with a malware variant known as Ngioweb.
The malware operates in memory, making the infection non-persistent—rebooting the device removes the malware. The group leverages vulnerabilities in IoT devices, including n-day exploits and at least one zero-day vulnerability. Using public databases like Shodan, the threat actor identifies vulnerable devices and extract IP addresses.
Once a device is compromised, it downloads a script that tests multiple Ngioweb samples compiled for different Linux architectures. When successfully executed, the malware connects to a command-and-control (C&C) server.
Compromised devices are immediately listed on proxy marketplaces, where other threat actors can rent them to disguise malicious activities.
The researchers note that the time between successfully exploiting an IoT device and listing it for sale on residential proxy marketplaces can be as little as 10 minutes.
Water Barghest operates with 17 workers on virtual private servers (VPS), continuously scanning for vulnerabilities and uploading malware. The group has remained under the radar for over five years by automating its operations and accepting payments exclusively in cryptocurrency. Additionally, it erases log files on infected devices to conceal its activities.