For the past year, ESET and the security firm GoSecure combined their skills in order to research Linux/Moose further. Here’s some of what was uncovered.
What is a Moose – Introduction
Linux/Moose is a malware family that primarily targets Linux-based consumer routers but that can also infect other Linux-based embedded systems in its path. The compromised devices are used to steal unencrypted network traffic and offer proxying services to the botnet operator. In practice, these capabilities are used to steal HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate “follows”, “views” and “likes”.
In May 2015 ESET released a whitepaper on the malware family we named Linux/Moose. After publication, Linux/Moose’s command and control servers went down and we lost track of the animal. A few months later, in September 2015, we got a new sample of Linux/Moose —with, as expected, some evolution after our publication.
For the past year, ESET and the security firm GoSecure combined their skills in order to research Linux/Moose further. GoSecure investigated the social media fraud aspect and shed some light on an unknown market they called “The Ego Market”. This market is highlighted in a new whitepaper published by GoSecure. This blog will cover the technical changes between the Moose variants we described in our whitepaper and the new variants that appeared in September 2015.
Moose in the bushes – Hiding the address of C&C
The first thing we noticed when we got the new sample was that there was no more command and control (C&C) IP address inside the binary. It seems that the operators read our report carefully and decided to make things a little bit harder for us. In this new version the C&C IP address is given as an encrypted command line argument, as shown in the following output:
This new feature implies that we can no longer run the sample by ourselves; our test machines need to be compromised by an embedded device spreading the threat in-the-wild in order to retrieve the C&C IP address. The attentive reader will notice that the IP address shown is in 32-bit integer format.
The purpose of encrypting the IP address here is, if the binary is found alone, useless without the value passed as argument. Also, the value alone makes no sense without the binary having the correct value to decrypt the argument. The value is XORed with a static value as shown in the following code:
To the best of our knowledge, this value has stayed the same over the last few months. Here is a Python snippet to decrypt the C&C 32-bit Integer value:
Moose molted – Network communication
The network protocol changed but it kept the basis of its protocol and added new layers. Here is a quick look of a packet capture from both samples. By the look of things the main change here is from binary protocol to ASCII printable protocol. In Figure 1, on the left side there is the old network protocol and on the right side there is the new one.
In the old sample the configuration was sent by the C&C server to the malware, and contains various fields like bits field to determine what feature to enable, IP address fields, whitelist list field and password list field. These fields are still present in the new version, but separated in three keys (see Table 1). The operator uses the Cookie: and Set-Cookie: HTTP headers to send these config fields. This config is encrypted by a simple XOR loop like in the first version but it’s also encoded in order to be printable in the HTTP headers thanks to the following function:
Table 1 (key-value table) summarizes the main configuration of Moose v.2:
|PHPSESSID||main config (local/external scan, sniffer, kill process)|
The PHPSESSID key contains the encrypted value of bit fields that allow to enable or disable some features on Moose (local/external scan, sniffer, kill process). The LP key contains the password list. Linux/Moose still tries to spread itself by bruteforcing Telnet credentials. There was a big change in this list, from around 300 logins and passwords in 2015 versus around 10 in 2016. See below:
The WL key contains the whitelist list. Again the list was shorted from 50 to 10 IP addresses. These IP addresses are in the IoC section. Linux/Moose still has the ability to run a proxy service by listening on TCP port 20012. The previous variant used to listen on port 10073. The proxy feature allows IP addresses from the whitelist to interact with the malware.
Linux/Moose’s authors have clearly done a lot of work to stay under the radar with the new version by hiding its C&C server location more effectively and changing the network protocol. By doing this, Moose avoids the Indicators of Compromise (IoCs) released with ESET’s 2015 whitepaper. Shortening the whitelist and password list shows a more delicate approach with Moose. Still, some misleading traces are inside the binary like the fake domain www.challpok.cn found in cleartext in the list of strings or even filenames that can correspond to bitcoinminer or DDoS malware. Linux/Moose stays exclusively a memory-resident threat; rebooting the embedded device will end its execution.
Indicators of Compromise
version 0x1F (31)
version 0x20 (32)
version 0x21 (33)
version 0x22 (34)
Primary C&C servers
Moose’s IoCs are also available and updated on ESET’s malware-ioc Github repository.