• HOME
  • About Us
  • Industry Insight & news
    • Industry Insight & News
    • Sign up to our newsletter
  • Press releases & updates
    • Press Releases & Updates
  • Downloads & Resources
    • Downloads & Resources
  • Events
    • DTX Europe
    • DTX Manchester
    • UC EXPO
  • DTX TV


Operators of the TheMoon botnet offer it as a service

Operators of the TheMoon botnet offer it as a service
2019-02-06T00:00:00Z

Source: http://www.cyberdefensemagazine.com/operators-of-the-themoon-botnet-offer-it-as-a-service/

Author: Pierluigi Paganini

Researchers at the CenturyLink Threat Research Labs discovered that the operators of the TheMoon IoT botnet are offering it as a service.

Experts at the CenturyLink Threat Research Labs observed a new evolution for the TheMoon IoT botnet, operators added a previously undocumented module that allows them to offer it with a malware-as-a-service model.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.

The botnet target broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

Now CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

Experts noticed several devices performing credential brute force attacks on multiple popular websites, then they uncovered a C2 operating at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon campaign.

Experts uncovered a video ad fraud operator using TheMoon on a single server that received requests by 19,000 unique URLs on 2,700 unique domains over a six-hour period.

The new module was deployed on MIPS devices and allows operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy as a service.

CenturyLink blocked TheMoon infrastructure on its ISP network and reported its findings to other network owners of potentially infected devices.

Further details including IoCs are reported in the analysis published by CenturyLink.

________________________________________________________________________________________________

To discover more, why not Register Free here for Cyber Security X 2019?

_______________________________________________________________________________________________

View more articles here


Digital Transformation EXPO Europe 

Digital Transformation EXPO Manchester

© Copyright 2019 – Imago Techmedia | Website content is valid at the date of publishing and therefore can be subject to change

Disclaimer: Imago Techmedia is not responsible for the content of speakers and seminars, and any information and opinions shared does not necessarily reflect the views or opinions of Imago Techmedia or associated brands.

TERMS & CONDITIONS | PRIVACY & COOKIES POLICY