Botnet for hire from TheMoon

Walden Systems Geeks Corner New Botnet for hire from TheMoon network security Rutherford NJ New Jersey NYC New York North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

TheMoon, an IoT botnet that targets home routers and modems, has been been changed. It added a module that allows it to be sold as a service to other hackers. This is already being detected according to CenturyLink Threat Research Labs, with the detection of an ad released by a hacker using TheMoon on a single server to affect 19,000 unique URLs on 2,700 domains over a six-hour period. It has also been seen being used for credential brute forcing, general traffic obfuscation and more.

TheMoon is a modular botnet that has been around since 2014, which targets security flaws in residential routers within broadband networks. According to researchers, it target broadband modems or routers developed by companies such as Linksys, ASUS, MikroTik and D-Link, and recently added GPON routers. It spreads like a worm, and has been seen incorporating as many as six IoT exploits at a time in an effort to spread. The new module is only deployed on MIPS devices, which a common microprocessor architecture typically found in residential gateways and modems. It allows the compromised device to be used as a SOCKS5 proxy. It can be used to bypass internet filtering or obscure the source of internet traffic, allowing the botnet author to sell its proxy network as a service to others.


TheMoon demonstrates the ability to distribute malicious modules of differing functionality and is designed to function like a botnet-as-a-service, enabling other hackers to employ it for their own uses. Traffic flowing through the proxy network is divided into plaintext and ciphertext, and the traffic is minimal so it doesn't attract too much attention. The plain text consists of pornography, gambling, and mining information, and looks like a portal site. The traffic in the ciphertext section is related to e-commerce or online mailboxes.

This new version is different, previous modules with proxy functionality only allowed the C2 to send proxy requests. The new version allows the botnet author to sell its proxy network as a service to others. The proxy port is randomly chosen port above 10,000 and changes multiple times per day. Originally this proxy port was unauthenticated, allowing anyone to route traffic through an infected device. In April 2018, the hackers changed their proxies to use authentication.

The threat of IoT botnets remains a powerful one. It's likely that whoever wrote this will attempt to infect new devices in the future by adding additional exploits to the existing toolkit. There's a huge market for proxy botnets that target broadband networks to route traffic for attacks like credential brute-forcing and ad fraud. The always-on nature of IoT devices and the ability to masquerade as normal home users make broadband networks prime targets for these types of attacks.