CenturyLink sounds the alarm about TheMoon botnet, a versatile tool for fraud

New research is a reminder of how versatile the hordes of infected computers can be in catering to hackers’ needs.

Botnets have been a staple of malicious cyber activity for years because they can be cheap and facilitate cyberattacks at scale. Now, new research highlights how versatile hordes of infected computers can be in catering to hackers’ needs, from advertisement fraud to brute-force attacks.

Researchers at communications provider CenturyLink said Thursday they spent a year tracking a botnet dubbed TheMoon, which can be repurposed by hackers for a range of malicious services.

CenturyLink’s team found an iteration of TheMoon that uses infected microprocessor-based devices as proxy servers that can be sold to other attackers. In one case, researchers said they watched a video-ad fraudster use a proxy service to send requests to 19,000 different URLs from one server in the span of six hours. The ease with which TheMoon enables fraud should have companies on alert.

“We have reason to believe the botnet actor has sold this proxy botnet as a service to other malicious actors and has used it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more,” CenturyLink Threat Research Labs said in a blog post.


“TheMoon has the ability to run any additional payload, making it particularly dangerous and allowing the botnet author to evolve its capabilities over time,” the research states.

The botnet exploits known vulnerabilities in broadband routers and modems made by companies including Linksys and D-Link.

TheMoon attracted researchers’ attention when devices under its spell carried out brute-force attacks on multiple unnamed websites. CenturyLink Threat Research Labs analysts worked backward from there, using the IP addresses of compromised devices to identify other infrastructure used by TheMoon.

CenturyLink said it has blocked the botnet’s infrastructure on the company’s network to mitigate the risk to customers, and that it has alerted third parties to the threat. The impact of TheMoon seems to be waning, the researchers said, with a sharp drop in IPs pinging the botnet’s command-and-control communication network in recent months.

“Though it appears the impact of TheMoon botnet is decreasing, the threat of IoT botnets with varying capabilities remains a powerful one,” the researchers wrote. “The likelihood of this actor attempting to infect new devices in the future by adding additional exploits to the existing toolkit is high.”


U.S. officials have been warning that internet of things (IoT) devices are a boon for botnets. A report published in May by the Department of Commerce concluded that manufacturers of IoT equipment are largely driven by cost and not security concerns, exacerbating the botnet problem.

TheMoon botnet feeds off of such vulnerable IoT gear; its author scans for hosts running insecure devices and then sends a shell script to the target using one of a catalogue of exploits.

The research comes a day after the cybersecurity industry was reminded of the persistence, and potential potency, of botnets. On Wednesday, the Justice Department announced an operation to disrupt the North Korea-linked Joanap botnet, which has been preying on unpatched devices for the last decade.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts