Edgerouter Botnet

The EdgeRouter botnet, a malware variant, has been in operation since 2016 and was notably used by the Pawn Storm group until it was disrupted by the US FBI in January 2024. This malicious software is designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The EdgeRouter botnet specifically modifies the OpenSSH server daemon (sshd) source code to accept hard-coded credentials and log valid ones for later access by attackers. Our analysis of this botnet began with a patch made public on GitHub in 2016, as we found evidence that this variant was utilized by the EdgeRouter botnet operator. The patch, available at https://github.com/jivoi/openssh-backdoor-kit, alters the sshd source code, enabling attackers to use pre-set credentials and log legitimate ones for future exploitation. This technique allows unauthorized users to gain access to systems and networks, further increasing the potential harm caused by the malware. Despite the disruption of the Pawn Storm group, the Ubiquiti EdgeRouter botnet remains active and continues to be employed by Russia-linked group APT28 and various cybercriminal organizations. Trend Micro researchers have reported that the EdgeRouter botnet, also known as Moobot, is still in operation. This highlights the ongoing threat posed by this malware and underscores the need for robust cybersecurity measures to prevent its spread and mitigate its impact.