Edgerouter Botnet

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The EdgeRouter botnet, a malware variant, has been in operation since 2016 and was notably used by the Pawn Storm group until it was disrupted by the US FBI in January 2024. This malicious software is designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The EdgeRouter botnet specifically modifies the OpenSSH server daemon (sshd) source code to accept hard-coded credentials and log valid ones for later access by attackers. Our analysis of this botnet began with a patch made public on GitHub in 2016, as we found evidence that this variant was utilized by the EdgeRouter botnet operator. The patch, available at https://github.com/jivoi/openssh-backdoor-kit, alters the sshd source code, enabling attackers to use pre-set credentials and log legitimate ones for future exploitation. This technique allows unauthorized users to gain access to systems and networks, further increasing the potential harm caused by the malware. Despite the disruption of the Pawn Storm group, the Ubiquiti EdgeRouter botnet remains active and continues to be employed by Russia-linked group APT28 and various cybercriminal organizations. Trend Micro researchers have reported that the EdgeRouter botnet, also known as Moobot, is still in operation. This highlights the ongoing threat posed by this malware and underscores the need for robust cybersecurity measures to prevent its spread and mitigate its impact.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Moobot
1
Moobot is a malicious software (malware) that has been causing significant disruption in the digital world. The malware, which can infiltrate systems through various methods such as suspicious downloads, emails, or websites, is known for its capability to steal personal information, disrupt operatio
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Botnet
Openssh
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Pawn StormUnspecified
1
Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. This group is notorious for targeting governments, militaries, and security organizations worldwide. In recent years, the methods employed by Pawn
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Edgerouter Botnet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
3 months ago
Russia-linked APT28 and crooks are still using the Moobot botnet
Trend Micro
3 months ago
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks