Moobot Trojan. When Ubiquiti Router Becomes a Botnet's Best Friend

APT28 ‎actors‏ ‎have ‎been ‎leveraging ‎default ‎credentials‏ ‎and ‎trojanized‏ ‎OpenSSH‏ ‎server ‎processes ‎to‏ ‎access ‎Ubiquiti‏ ‎EdgeRouters. ‎The ‎trojanized ‎OpenSSH‏ ‎server‏ ‎processes ‎are‏ ‎associated ‎with‏ ‎Moobot, ‎a ‎Mirai-based ‎botnet ‎that‏ ‎infects‏ ‎Internet ‎of‏ ‎Things ‎(IoT)‏ ‎devices ‎using ‎remotely ‎exploitable ‎vulnerabilities,‏ ‎such‏ ‎as‏ ‎weak ‎or‏ ‎default ‎passwords.

Trojanized‏ ‎OpenSSH ‎Server‏ ‎Binaries

📌 Trojanized‏ ‎OpenSSH ‎server‏ ‎binaries ‎downloaded ‎from ‎packinstall[.]kozow[.]com ‎have‏ ‎replaced ‎legitimate‏ ‎binaries‏ ‎on ‎EdgeRouters ‎accessed‏ ‎by ‎APT28.‏ ‎These ‎trojanized ‎binaries ‎allow‏ ‎remote‏ ‎attackers ‎to‏ ‎bypass ‎authentication‏ ‎and ‎gain ‎unauthorized ‎access ‎to‏ ‎the‏ ‎compromised ‎routers.

📌 The‏ ‎Moobot ‎botnet‏ ‎is ‎known ‎for ‎its ‎ability‏ ‎to‏ ‎exploit‏ ‎vulnerabilities ‎in‏ ‎IoT ‎devices,‏ ‎particularly ‎those‏ ‎with‏ ‎weak ‎or‏ ‎default ‎passwords. ‎By ‎replacing ‎the‏ ‎legitimate ‎OpenSSH‏ ‎server‏ ‎binaries ‎with ‎trojanized‏ ‎versions, ‎APT28‏ ‎actors ‎can ‎maintain ‎persistent‏ ‎access‏ ‎to ‎the‏ ‎compromised ‎EdgeRouters‏ ‎and ‎use ‎them ‎for ‎various‏ ‎malicious‏ ‎purposes.

Mirai-based ‎Botnet

📌 Moobot‏ ‎is ‎a‏ ‎Mirai-based ‎botnet, ‎which ‎means ‎it‏ ‎is‏ ‎derived‏ ‎from ‎the‏ ‎infamous ‎Mirai‏ ‎malware ‎that‏ ‎first‏ ‎emerged ‎in‏ ‎2016. ‎Mirai ‎is ‎designed ‎to‏ ‎scan ‎for‏ ‎and‏ ‎infect ‎IoT ‎devices‏ ‎by ‎exploiting‏ ‎common ‎vulnerabilities ‎and ‎using‏ ‎default‏ ‎credentials. ‎Once‏ ‎a ‎device‏ ‎is ‎infected, ‎it ‎becomes ‎part‏ ‎of‏ ‎the ‎botnet‏ ‎and ‎can‏ ‎be ‎used ‎for ‎distributed ‎denial-of-service‏ ‎(DDoS)‏ ‎attacks,‏ ‎credential ‎stuffing,‏ ‎and ‎other‏ ‎malicious ‎activities.

📌 The‏ ‎use‏ ‎of ‎a‏ ‎Mirai-based ‎botnet ‎like ‎Moobot ‎highlights‏ ‎the ‎importance‏ ‎of‏ ‎securing ‎IoT ‎devices,‏ ‎such ‎as‏ ‎routers, ‎by ‎changing ‎default‏ ‎passwords‏ ‎and ‎keeping‏ ‎the ‎firmware‏ ‎up ‎to ‎date. ‎The ‎combination‏ ‎of‏ ‎weak ‎or‏ ‎default ‎passwords‏ ‎and ‎unpatched ‎vulnerabilities ‎makes ‎these‏ ‎devices‏ ‎an‏ ‎attractive ‎target‏ ‎for ‎threat‏ ‎actors ‎like‏ ‎APT28.

Impact‏ ‎on ‎Compromised‏ ‎EdgeRouters

With ‎the ‎trojanized ‎OpenSSH ‎server‏ ‎processes ‎in‏ ‎place,‏ ‎APT28 ‎actors ‎can‏ ‎maintain ‎persistent‏ ‎access ‎to ‎the ‎compromised‏ ‎EdgeRouters.‏ ‎This ‎allows‏ ‎them ‎to‏ ‎use ‎the ‎routers ‎as ‎a‏ ‎platform‏ ‎for ‎various‏ ‎malicious ‎activities,‏ ‎such ‎as:

📌 Harvesting ‎credentials

📌 Collecting ‎NTLMv2 ‎digests

📌 Proxying‏ ‎network‏ ‎traffic

📌 Hosting‏ ‎spear-phishing ‎landing‏ ‎pages ‎and‏ ‎custom ‎tools