TheMoon retrained from DDoS botnet to proxy
TheMoon's IoT botnet was used to proxy traffic in a fraudulent ad-based scheme on YouTube.
US security provider CenturyLink security researchers have discovered a botnet from the Internet of Things (IoT) devices used to proxy traffic in a fraudulent ad scheme on YouTube.
Experts have identified a fraudulent scheme during the analysis of the TheMoon botnet, which included some CenturyLink devices. The devices carried out brute-force attacks on popular sites – as it turned out, they were infected with TheMoon malware, armed with a completely new module.
TheMoon botnet has been known to researchers since 2014. As a rule, the malware infects routers and IoT devices using exploits for known vulnerabilities. At the beginning of its history, the botnet was used to carry out DDoS attacks, but in recent years it began to disappear from the DDoS scene. According to experts, this is due to the fact that now TheMoon is used by attackers as a proxy for fraudulent schemes.
The researchers' guesses were confirmed at the beginning of last year, when Qihoo 360 Netlab specialists discovered the first module in ProMoon for traffic proxying. Now experts at CenturyLink have identified a completely new, previously unknown module, confirming the evolution of TheMoon from a DDoS botnet to a proxy.
Attackers act as follows. TheMoon infects the vulnerable device and downloads an additional module onto it that opens the SOCKS5 proxy on the infected device, access to which malicious operators sell to other cybercriminals.