What is a Moose – Introduction
Linux/Moose is a malware family that primarily
targets Linux-based consumer routers but that can also infect other Linux-based
embedded systems in its path. The compromised devices are used to steal
unencrypted network traffic and offer proxying services to the botnet operator.
In practice, these capabilities are used to steal HTTP Cookies on popular
social network sites and perform fraudulent actions such as non-legitimate
“follows”, “views” and “likes”.
In May 2015 ESET released a whitepaper
on the malware family we named Linux/Moose. After publication, Linux/Moose’s
command and control servers went down and we lost track of the animal. A few months later,
in September 2015, we got a new sample of Linux/Moose —with, as expected, some
evolution after our publication.
For the past year, ESET and the security firm
GoSecure combined their skills in order to research Linux/Moose further.
GoSecure investigated the social media fraud aspect and shed some light on an
unknown market they called “The Ego Market”. This market is highlighted in a new whitepaper published by GoSecure. This blog will cover the
technical changes between the Moose variants we described in our whitepaper and
the new variants that appeared in September 2015.
Moose in the bushes – Hiding the address of
C&C
The first thing we noticed when we got the new
sample was that there was no more command and control (C&C) IP address
inside the binary. It seems that the operators read our report carefully and
decided to make things a little bit harder for us. In this new version the
C&C IP address is given as an encrypted command line argument, as shown in
the following output:
Read the full story on