Originally identified in 2014, TheMoon botnet is configured to look for flaws on the router set up by organizations like ASUS, D-Link, Linksys, and MikroTik. The proxy botnet had been employed by the botnet operators for a number of reasons; video advertisement fraud, general traffic obfuscation, and brute force, to name a few.
With malicious intentions of further expanding the botnet, the operators are expected to constantly scan and look for exploitable services being run on IoT devices.
TheMoon botnet attacks IoT apps which are functioning on port8080 and on successfully detecting a vulnerable device, the botnet is programmed to drop a shell script which once executed, downloads the initial phases of the payload.
It has been detected by Security researchers at CenturyLink that the recent module differs from the previous one in the way that it converts the targeted device into a SOCKS5 proxy and it allows the botnet operator to offer its proxy network service to other people.
The researchers further discovered that when connecting to TCP port 8002, the person browsing automatically receives a stream of log messages in association with an advertisement fraud.
Referenced from the findings of the CenturyLink report,
“One six-hour time period from a single server resulted in requests to 19,000 unique URLs on 2,700 unique domains. After browsing some of the URLs, it was apparent they all had embedded YouTube videos.”
“The always-on nature of IoT devices and the ability to masquerade as normal home users make broadband networks prime targets for these types of attacks,”
