About Teletype
Join
Overkill Security
@overkill_security
keypoints
August 21, 2024

Moobot Trojan. When Ubiquiti Router Becomes a Botnet's Best Friend

APT28 actors have been leveraging default credentials and trojanized OpenSSH server processes to access Ubiquiti EdgeRouters. The trojanized OpenSSH server processes are associated with Moobot, a Mirai-based botnet that infects Internet of Things (IoT) devices using remotely exploitable vulnerabilities, such as weak or default passwords.

Trojanized OpenSSH Server Binaries

πŸ“Œ Trojanized OpenSSH server binaries downloaded from packinstall[.]kozow[.]com have replaced legitimate binaries on EdgeRouters accessed by APT28. These trojanized binaries allow remote attackers to bypass authentication and gain unauthorized access to the compromised routers.

πŸ“Œ The Moobot botnet is known for its ability to exploit vulnerabilities in IoT devices, particularly those with weak or default passwords. By replacing the legitimate OpenSSH server binaries with trojanized versions, APT28 actors can maintain persistent access to the compromised EdgeRouters and use them for various malicious purposes.

Mirai-based Botnet

πŸ“Œ Moobot is a Mirai-based botnet, which means it is derived from the infamous Mirai malware that first emerged in 2016. Mirai is designed to scan for and infect IoT devices by exploiting common vulnerabilities and using default credentials. Once a device is infected, it becomes part of the botnet and can be used for distributed denial-of-service (DDoS) attacks, credential stuffing, and other malicious activities.

πŸ“Œ The use of a Mirai-based botnet like Moobot highlights the importance of securing IoT devices, such as routers, by changing default passwords and keeping the firmware up to date. The combination of weak or default passwords and unpatched vulnerabilities makes these devices an attractive target for threat actors like APT28.

Impact on Compromised EdgeRouters

With the trojanized OpenSSH server processes in place, APT28 actors can maintain persistent access to the compromised EdgeRouters. This allows them to use the routers as a platform for various malicious activities, such as:

πŸ“Œ Harvesting credentials

πŸ“Œ Collecting NTLMv2 digests

πŸ“Œ Proxying network traffic

πŸ“Œ Hosting spear-phishing landing pages and custom tools

Overkill Security
August 21, 2024, 08:49
0Β reactions
0Β views