Michael Horka

Raptor Train: China’s Multi-Year Mirai Facelift

Black Lotus Labs, the threat intelligence division of Lumen Technologies, is currently tracking elements of a sophisticated botnet that has gone undetected for over four years leveraging infected SOHO and IOT devices to target North American and Taiwanese networks in the government, military, telecommunications and defense industrial base (DIB) sectors. “Raptor Train” is a multi-tiered botnet with ties to a Chinese state-sponsored threat group known as Flax Typhoon; it is one of the largest Chinese-operated botnets tracked by Black Lotus Labs and has infected over 100,000 devices in the last year alone. The botnet operators exploit vulnerable SOHO and IOT devices and drop a custom multi-architecture variant of the Mirai malware we call NOSEDIVE, which relies on memory-only persistence mechanisms and has tooling that can enable remote execution, covert data transfer and DDOS attacks.

This talk will outline the elements of this advanced botnet, beginning with the network architecture and multi-tiered infrastructure and a walk-through of the campaigns as they have evolved over the last four years. Then we will discuss the multi-staged droppers and the NOSEDIVE implant’s expanded functionality, before moving into the backend management infrastructure, SPARROW, and payload generator, CONDOR. Lastly, we will cover botnet attribution and some of the high-level targeting observed by country and sector.

Michael Horka is a Senior Information Security Engineer at Black Lotus Labs, the threat research division of Lumen Technologies. He is responsible for botnet and advanced actor tracking and intelligence. He has over a decade of experience performing threat analysis and reporting on nation-state campaigns, most notably as a Special Agent with the FBI’s Houston Field Office.