Threat Actors Renting Out Compromised Routers To Other Criminals

APT actors and cybercriminals both exploit proxy anonymization layers and VPN nodes to mask their malicious activities, while Pawn Storm, a well-known APT group, infiltrated a cybercriminal botnet of compromised Ubiquiti EdgeRouters in 2022 and used it for espionage. 

The FBI disrupted the botnet in January 2024, but Pawn Storm was able to move some bots to a new C&C server and found another threat actor using Ngioweb malware on EdgeRouters for a different botnet. 

They leverage various compromised or commercial botnets for their operations.

At the same time, cybercriminals often use poorly secured routers for malware installation, highlighting the importance of strong security measures for internet-facing routers. 

A criminal botnet targeting Linux devices since 2016 has been disrupted by the FBI.

The botnet uses bash/python scripts and SSHDoor malware to steal credentials, exploit default credentials, and establish persistent access on compromised devices. 

It also infects VPS and routers when installing the SOCKS5 proxy and mining Monero cryptocurrency by targeting EdgeRouters, but it can infect any Linux device.

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

• Real-time Detection
• Interactive Malware Analysis
• Easy to Learn by New Security Team members
• Get detailed reports with maximum data
• Set Up Virtual Machine in Linux & all Windows OS Versions
• Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Try ANY.RUN for FREE

The malware uses open-source tools like MicroSocks and SSHDoor with minimal modifications, making them vulnerable to brute-force attacks.

SSHDoor is a malicious version of the SSH server created by modifying legitimate OpenSSH source code, which steals login credentials by logging them to a file and allows unauthorized access through hardcoded passwords or SSH keys. 

It makes detection difficult because most of its code is legitimate as a variant that accepts hardcoded credentials and logs valid ones to a file on compromised EdgeOS routers.

The password is stored in a variable named bdpassword2, and the log file is usually /tmp/.zZtemp, which can be encrypted. 

Researchers at Trend Micro identified a backdoor targeting EdgeRouters by analyzing SSH server banners and algorithms supported.

Legitimate OpenSSH versions wouldn’t use specific versions or support certain ciphers. 

Backdoored devices have been found using unofficial OpenSSH versions (6.0p1, 6.6.1p1, 8.2p2) and even official versions with suspicious ciphers (blowfish-cbc for OpenSSH 7.4p1 or later).

They analyzed 177 devices and found 80 likely backdoored with modified sshd binaries (some with default passwords) and additional public keys for persistent access. 

Law enforcement disrupted Pawn Storm’s botnet infrastructure but some compromised EdgeRouters remained due to legal limitations and technical challenges.

Pawn Storm and other compromised devices like the Raspberry Pi exploited these to launch attacks. 

Phishing campaigns like one targeting Ukrainian ukr.net users leveraged compromised EdgeServers for credential collection and anonymization via SSH tunnels, highlighting the importance of securing internet-facing routers. 

Linux botnets targeting EdgeRouters infected with Ngioweb malware reside only in memory, making them stealthier than previously observed threats. 

The botnet is believed to be commercially available for use as a residential proxy service, which highlights the growing importance of securing internet-facing devices like SOHO routers, which are increasingly targeted by malicious actors.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide