SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.nosedive (Back to overview)

Nosedive

Actor(s): Flax Typhoon


According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique "key" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

The malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.

References
2024-09-18LumenBlack Lotus Labs
Derailing The Raptor Train
Nosedive
2024-09-18U.S. Department of Justice
Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers
Nosedive
2024-09-18LumenBlack Lotus Labs
Derailing the Raptor Train
Nosedive
2024-09-18ASD, CNMF, CSE Canada, FBI, GCSB, NCSC UK, NSA
People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations
Nosedive

There is no Yara-Signature yet.