Operators of the TheMoon botnet offer it as a service
Source: http://www.cyberdefensemagazine.com/operators-of-the-themoon-botnet-offer-it-as-a-service/
Author: Pierluigi Paganini
Researchers at the CenturyLink Threat Research Labs
discovered that the operators of the TheMoon IoT botnet are offering it as a
service.
Experts at the CenturyLink Threat Research Labs observed a
new evolution for the TheMoon IoT botnet, operators added a previously
undocumented module that allows them to offer it with a malware-as-a-service
model.
The activity of the TheMoon botnet was first spotted in
2014, and since 2017 its operators added to the code of the bot at least 6 IoT
device exploits.
The botnet target broadband modems or routers from several
vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.
In May 2018, researchers from security firm Qihoo 360
Netlab reported that cybercriminals that targeted the Dasan GPON routers were
using another new zero-day flaw affecting the same routers and recruit them in
their botnet.
Now CenturyLink Threat Research Labs collected evidence
that botnet actor has sold this proxy botnet as a service to other cybercrime
gangs that were using it for credential brute forcing, video advertisement
fraud, general traffic obfuscation and more.
Experts noticed several devices performing credential brute
force attacks on multiple popular websites, then they uncovered a C2 operating
at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon
campaign.
Experts uncovered a video ad fraud operator using TheMoon
on a single server that received requests by 19,000 unique URLs on 2,700 unique
domains over a six-hour period.
The new module was deployed on MIPS devices and allows
operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy
as a service.
CenturyLink blocked TheMoon infrastructure on its ISP
network and reported its findings to other network owners of potentially
infected devices.
Further details including IoCs are reported in the analysis published by CenturyLink.
________________________________________________________________________________________________
To discover more, why not Register Free here for Cyber Security X 2019?
_______________________________________________________________________________________________