Moobot Trojan. When Ubiquiti Router Becomes a Botnet's Best Friend
APT28 actors have been leveraging default credentials and trojanized OpenSSH server processes to access Ubiquiti EdgeRouters. The trojanized OpenSSH server processes are associated with Moobot, a Mirai-based botnet that infects Internet of Things (IoT) devices using remotely exploitable vulnerabilities, such as weak or default passwords.
Trojanized OpenSSH Server Binaries
📌 Trojanized OpenSSH server binaries downloaded from packinstall[.]kozow[.]com have replaced legitimate binaries on EdgeRouters accessed by APT28. These trojanized binaries allow remote attackers to bypass authentication and gain unauthorized access to the compromised routers.
📌 The Moobot botnet is known for its ability to exploit vulnerabilities in IoT devices, particularly those with weak or default passwords. By replacing the legitimate OpenSSH server binaries with trojanized versions, APT28 actors can maintain persistent access to the compromised EdgeRouters and use them for various malicious purposes.
Mirai-based Botnet
📌 Moobot is a Mirai-based botnet, which means it is derived from the infamous Mirai malware that first emerged in 2016. Mirai is designed to scan for and infect IoT devices by exploiting common vulnerabilities and using default credentials. Once a device is infected, it becomes part of the botnet and can be used for distributed denial-of-service (DDoS) attacks, credential stuffing, and other malicious activities.
📌 The use of a Mirai-based botnet like Moobot highlights the importance of securing IoT devices, such as routers, by changing default passwords and keeping the firmware up to date. The combination of weak or default passwords and unpatched vulnerabilities makes these devices an attractive target for threat actors like APT28.
Impact on Compromised EdgeRouters
With the trojanized OpenSSH server processes in place, APT28 actors can maintain persistent access to the compromised EdgeRouters. This allows them to use the routers as a platform for various malicious activities, such as:
📌 Harvesting credentials
📌 Collecting NTLMv2 digests
📌 Proxying network traffic
📌 Hosting spear-phishing landing pages and custom tools