by 
Originally
identified in 2014, TheMoon botnet is configured to look for flaws on the
router set up by organizations like ASUS, D-Link, Linksys, and MikroTik. The
proxy botnet had been employed by the botnet operators for a number of reasons;
video advertisement fraud, general traffic obfuscation, and brute force, to
name a few.
identified in 2014, TheMoon botnet is configured to look for flaws on the
router set up by organizations like ASUS, D-Link, Linksys, and MikroTik. The
proxy botnet had been employed by the botnet operators for a number of reasons;
video advertisement fraud, general traffic obfuscation, and brute force, to
name a few.
With
malicious intentions of further expanding the botnet, the operators are
expected to constantly scan and look for exploitable services being run on IoT
devices.
TheMoon botnet attacks IoT apps which are functioning on port8080 and
on successfully detecting a vulnerable device, the botnet is programmed to drop
a shell script which once executed, downloads the initial phases of the
payload.
on successfully detecting a vulnerable device, the botnet is programmed to drop
a shell script which once executed, downloads the initial phases of the
payload.
It has been
detected by Security researchers at CenturyLink that the recent module differs
from the previous one in the way that it converts the targeted
device into a SOCKS5 proxy and it allows the botnet operator to offer its proxy
network service to other people.
The researchers further discovered that when
connecting to TCP port 8002, the person browsing automatically receives a
stream of log messages in association with an advertisement fraud.
connecting to TCP port 8002, the person browsing automatically receives a
stream of log messages in association with an advertisement fraud.
Referenced
from the findings of the CenturyLink report,
“One
six-hour time period from a single server resulted in requests to 19,000 unique
URLs on 2,700 unique domains. After browsing some of the URLs, it was apparent
they all had embedded YouTube videos.”
six-hour time period from a single server resulted in requests to 19,000 unique
URLs on 2,700 unique domains. After browsing some of the URLs, it was apparent
they all had embedded YouTube videos.”
“The
always-on nature of IoT devices and the ability to masquerade as normal home
users make broadband networks prime targets for these types of attacks,”
always-on nature of IoT devices and the ability to masquerade as normal home
users make broadband networks prime targets for these types of attacks,”
