Search

Security Advisory: Raptor Train

RGSA 10-31-24

Date: October, 31, 2024

 

Introduction 

Cybersecurity researchers have recently discovered a sophisticated threat actor known as a botnet called Raptor Train which is linked to another threat actor known as Flax Typhoon. A botnet is a network of compromised computers/devices that are remotely controlled by a hacker to perform various malicious activities. Botnets can vary in size and complexity which make them hard to track or stop, hence they are a significant security threat. Active since at least May 2020, the botnet primarily targets small office/home office (SOHO) and IoT devices, with a peak of 60,000 compromised devices in June 2023.

Raptor Train consists of a three-tiered architecture:

  • Tier 1: Compromised devices (e.g., routers, cameras)
  • Tier 2: Command-and-control (C2) servers that manage the botnet and facilitate exploitation
  • Tier 3: Management nodes, controlled via a tool called Sparrow, which directs tasks to the botnet.

This botnet has exploited over 200,000 devices with the capability of being able to execute commands, cause DDoS attacks (where a massive amount of traffic is sent to a website/server at the same time which causes it to crash and go offline, similar to a traffic-jam) and exploit vulnerabilities. There have been multiple campaigns of this botnet since 2020 that has focused on different targets with new tactics too. Recently, the U.S. Department of Justice announced the takedown of the Raptor Train botnet, attributing it to Integrity Technology Group, a Beijing-based company. This operation involved seizing infrastructure and disabling malware on infected devices.

Implications:

Some symptoms that you could experience when a botnet has targeted you include:

  • Slower Device Performance: The CPU of your computer may become slow because of the usage of malicious processes.
  • Frequent Crashing/Freezing: Your operating system or applications may become unresponsive more often.
  • Unusual Pop-ups: You might see unexpected ads or pop-ups that indicate potential adware or malware activity.
  • Unusual emails or messages: You might experience spam messages or notifications from your email or social media without your knowledge.
  • Changes to settings: Browser, homepage or search engine settings might change unexpectedly due to the malware.

To mitigate these symptoms, you can use stronger passwords (software like 1Password), keep software updated regularly, enable firewall protection on your devices alongside anti-virus programs like McAfee.

The botnet has reached over 260,000+ devices globally with a majority of it being with North America/ Europe. The FBI has stated the ongoing risks associated to this botnet such as hiding their own identity when doing these malicious attacks, hence emphasizing the deployment of enhanced cybersecurity measures against state-sponsored threats.

HOW RICHTER GUARDIAN CAN HELP YOU

  • Call us or send us an email at: +1 844-908-3950 and support@richterguardian.com Connect with our cyber concierge to discuss how to protect your online presence and options for monitoring against attacks like this.
  • Provide updates on recent events like this and the security measures to take into consideration for these vulnerabilities like installing software to manage passwords and using Richter Guardian to monitor and detect these types of threats in advance.