TheMoon IoT Botnet

Posted: February 5, 2019

TheMoon IoT Botnet is a network of compromised Internet-of-Things devices, specifically, focusing on routers and modems for non-commercial users. A compromised device can redirect or intercept your Web traffic or be useful for installing software on your PC automatically. Users should reset their devices to factory defaults before analyzing their computers with anti-malware tools for removing any threats associated with TheMoon IoT Botnet's attacks.

A Five-Year Trojan is, Finally, Shooting for the Moon

The efficacy of TheMoon IoT Botnet is best demonstrated by its longevity, which is half a decade old, but still active and, presumably, profitable to its author. Despite its birth in 2014, the cyber-security industry is finding new updates to TheMoon IoT Botnet occasionally, including an alarming module addition this year. For the first time, the 2019-dated plugin shifts the focus of TheMoon IoT Botnet's capabilities towards providing its services to other criminals, presumably, for a fee.

TheMoon IoT Botnet compromises, not PCs, but IoT or Internet-of-Things devices, such as routers and modems by well-known companies like Linksys and ASUS. The threat actor scans for vulnerable software setups to infect opportunistically and uses a shell script for dropping TheMoon IoT Botnet, which also can duplicate itself across other devices, like a worm. While ISP companies are engaged in blocking traffic related to this botnet actively, malware experts anticipate more updates to its infrastructure in the coming weeks, based on its previous high level of activity and dedicated maintenance.

TheMoon IoT Botnet generates Web advertisement fraud (creating 'fake' clicks for affiliate money), can brute-force login credentials, and hide corrupted traffic, among other features, many of which don't target the user's PC directly. The recent update lets TheMoon IoT Botnet function as a proxy networking service for third-party criminals and is only compatible with MIPS devices. However, this microprocessor setup is commonplace on non-commercial IoT devices.

Darkening a Moon that's Risen for Money

TheMoon IoT Botnet uses several means of disguising its traffic, including switching the ports it employs daily, if necessary. Most users shouldn't expect symptoms associated with TheMoon IoT Botnet directly, although related threats, such as Trojans installed through drive-by-download attacks that the infected router redirects the browser towards, can be more self-evident than the botnet. Malware experts strongly encourage resetting all compromised devices to their factory conditions and changing all login credentials as an initial, bare minimum counter to infection.

Due to the relationship that brute-force attacks have with TheMoon IoT Botnet, users can protect themselves and their networks by avoiding any popular, default, or short passwords that threat actors could estimate with hacking software. Passwords of five or more characters, mixed cases (when appropriate), and numbers, as well as alphabetical characters, will provide more security than, for example, 'admin1' or 'password123.' Dedicated anti-malware tools also may be invaluable for deleting threats that TheMoon IoT Botnet drops through a remote attacker's instructions.

TheMoon IoT Botnet is part of the ongoing future of the black market software industry: a threat that rents itself out to others, as well as being independently profitable. Both ordinary PC users and ISPs will have to work together to keep those profits small.