Edgerouter Botnet

Malware Profile Updated 23 days ago
Download STIX
Preview STIX
The EdgeRouter botnet, a malware variant, has been in operation since 2016 and was notably used by the Pawn Storm group until it was disrupted by the US FBI in January 2024. This malicious software is designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The EdgeRouter botnet specifically modifies the OpenSSH server daemon (sshd) source code to accept hard-coded credentials and log valid ones for later access by attackers. Our analysis of this botnet began with a patch made public on GitHub in 2016, as we found evidence that this variant was utilized by the EdgeRouter botnet operator. The patch, available at https://github.com/jivoi/openssh-backdoor-kit, alters the sshd source code, enabling attackers to use pre-set credentials and log legitimate ones for future exploitation. This technique allows unauthorized users to gain access to systems and networks, further increasing the potential harm caused by the malware. Despite the disruption of the Pawn Storm group, the Ubiquiti EdgeRouter botnet remains active and continues to be employed by Russia-linked group APT28 and various cybercriminal organizations. Trend Micro researchers have reported that the EdgeRouter botnet, also known as Moobot, is still in operation. This highlights the ongoing threat posed by this malware and underscores the need for robust cybersecurity measures to prevent its spread and mitigate its impact.
What's your take? (Question 1 of 0)
65d121d1-151d-4eee-96c7-7c109444d238 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Botnet
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Edgerouter Botnet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a month ago
Russia-linked APT28 and crooks are still using the Moobot botnet
Trend Micro
a month ago
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks