TheMoon Rises Again, With a Botnet-as-a-Service Threat
(Jan 31, 2019)
An Internet-of-Things (IoT) botnet, “TheMoon,” that targets home routers and modems, has been observed to have a new module added to it that can allow it to be sold Software-as-a-Service (SaaS) to threat actors. TheMoon is a botnet that targets vulnerabilities in routers by ASUS, D-Link, GPON, Linksys, and MikroTik to brute-force credentials, obfuscate traffic, and, with the newest module, act as a SOCKS5 proxy. The botnet is capable of spreading like a worm, and has been observed to utilise up to six exploits at a time to increase its victim count. This iteration of the botnet allows the threat actor behind it to sell its proxy network as a service for other threat actors to utilise.
Recommendation: If the device is IoT, it is recommended that it is placed behind a firewall or network address translation and placed within a Virtual Local Area Network (VLAN). Change the default password of IoT devices such as routers and printers to something that is difficult for threat actors to guess, but memorable for you. Anything that faces the internet can be vulnerable to threat actors, and as this story illustrates, malware can evolve extremely quickly so it is crucial to stay up-to-date with security patches and updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.