TheMoon IoT botnet is proxying traffic for YouTube ad fraud scheme

• TheMoon IoT botnet was earlier used for DDoS attacks, but now its operators have turned the botnet into a proxy network for other threat actor groups.
• TheMoon IoT botnet has also been used for brute-force attacks, ad fraud scheme, credential stuffing attacks, traffic obfuscation, and more.

Researchers from American ISP CenturyLink has recently uncovered that TheMoon IoT botnet is used for proxying traffic for YouTube ad fraud scheme. The researchers discovered this while investigating several CenturyLink devices performing credential brute-force attacks against popular websites.

Researchers after investigations found out the TheMoon IoT botnet was responsible for these brute-force attacks, and further investigations on TheMoon botnet led to the exposure of this botnet being used for proxying traffic for bad actors.

TheMoon IoT botnet

TheMoon IoT botnet is active since 2014 and its primary mode of infection is by leveraging exploits in IoT devices and gaining control over vulnerable IoT devices and routers. This botnet was earlier used for DDoS attacks, but now its operators have changed the botnet to a proxy network for other threat actor groups. The Moon IoT botnet has also been used for brute-force attacks, ad fraud scheme, credential stuffing attacks, traffic obfuscation, and more.

TheMoon botnet's activities include the following.

• The botnet leverages security vulnerabilities to infect routers/IoT devices with the TheMoon malware.
• TheMoon malware downloads an additional proxy module which opens a SOCKS5 proxy on infected devices.
• The operators of the botnet sell access to these proxies and other criminal groups rent a piece of the botnet.
• The other threat actors then send instructions on ‘what URLs to access’ to the proxies on infected devices.

The proxy module

Researchers first spotted the proxy module in early 2018. Now, Century Link researchers have detected a proxy module that confirms TheMoon botnet is used as a proxy network for threat actor groups. They detected 24 C&C servers to which TheMoon botnets connected and received instructions.

The researchers then analyzed one of the ad fraud schemes named ‘3ve’ that have been carried out with TheMoon infected devices. It should be noted that this ad fraud scheme ‘3ve’ has been dismantled by the FBI, Google, and 20 tech industry partners.

Researchers stated that the operators of TheMoon left a service port open exposing log data from these C&C servers, which allowed them to spy on the operator's activities. The researchers snooped into the service port and found that each server on an average sent seven messages per second.

“Within each log there is a domain and URL which is believed to represent a browsing request made to the proxy. One six-hour time period from a single server resulted in requests to 19,000 unique URLs on 2,700 unique domains,” researchers from CenturyLink explained.

After browsing some of the URLs, the researchers found that all URLs had embedded YouTube videos.