IoT botnet used in YouTube ad fraud scheme

TheMoon's DDoS days are long gone. The botnet is now a proxy network for other criminal groups.

IoT botnet for rent: TheMoon is being used for YouTube ad fraud TheMoon's DDoS days are long gone. The botnet is now a proxy network for other criminal groups.

The security research team at American ISP CenturyLink have discovered that an IoT botnet is proxying traffic for an YouTube video ad fraud scheme.

Researchers made this discovery while investigating an IoT botnet known as TheMoon, which they initially began tracking after observing several CenturyLink devices performing credential brute-force attacks against popular websites.

An investigation into these devices revealed infections with the TheMoon IoT malware, and later also exposed the existence of a never-before-seen module designed to transform infected routers and IoT devices into proxies for bad traffic.

TheMoon botnet isn't new. It's been around since 2014, and it's primary mode of infection has been by using exploits to gain control over vulnerable routers and IoT devices.

In its early days, the botnet had been used primarily for DDoS attacks, but in recent years the botnet has gone relatively quiet on DDoS radars, leading many experts to believe the botnet's operators had switched the botnet from a DDoS cannon to a proxy network.

This was confirmed in early 2018, when researchers from Qihoo 360 Netlab found a first proxy module. Now, CenturyLink's research team have found a different never-before-seen module that confirms TheMoon's evolution from DDoS threat to a proxy network for other criminal groups.

Based on the current available findings, TheMoon seems to operate as following:

  • Botnet operators use exploits to infect routers/IoT devices with the TheMoon malware
  • TheMoon malware downloads an additional proxy module
  • Module opens a SOCKS5 proxy on infected devices
  • TheMoon operators rent access to these proxies
  • Other criminal grops rent a piece of the botnet and send instructions to the proxies on infected devices on what URLs to access.

According to CenturyLink, in the past year, TheMoon botnet has been used for brute-force attacks, credential stuffing attacks, for advertising fraud, general traffic obfuscation, and more.

In a report released today, CenturyLink researchers delved deep into one of the advertising frauds they've seen carried out with TheMoon-infected devices.

This was possible after identifying 24 command-and-control servers to which TheMoon bots connected and received instructions. Experts said TheMoon operators left an service port exposed online that spewed out log data from these C&C servers, allowing them to spy on their operation.

"Each server on average sent seven messages per second," said the CenturyLink Threat Research Labs. "Within each log there is a domain and URL which is believed to represent a browsing request made to the proxy. One six-hour time period from a single server resulted in requests to 19,000 unique URLs on 2,700 unique domains."

"After browsing some of the URLs, it was apparent they all had embedded YouTube videos," researcher said.

The ISP's finding comes after the FBI, Google, and 20 tech industry partners have shut down a giant advertising fraud network named 3ve last fall.

On a more funny side note, TheMoon is also the botnet that at one point infected home routers by luring regular internet users on adult dating sites. Exploit code hidden in these sites would call to local IP addresses, known to be assigned to home routers, and try to infect the routers with TheMoon malware while the user was browsing the site.

More security coverage: