Linux/Moose is a malware family that primarily targets Linux-based consumer routers and infect other Linux-based embedded systems. Once infected, the compromised devices are used to steal unencrypted network traffic and offer proxying services for the botnet operator. You can read more about this phenomenon in an in-depth security research paper on WeLiveSevcurity.com, titled ‘Dissecting Linux/Moose’. In practice, these malicious capabilities are used to steal HTTP cookies to perform fraudulent actions on Facebook, Twitter, Instagram, YouTube and other sites, which include generating non-legitimate “follows”, “views” and “likes.” “Linux/Moose is a novelty when you consider that most embedded threats these days are used to perform DDoS attacks,” explains Olivier Bilodeau, Malware Researcher at ESET.
According to ESET researchers, this type of malware has the capabilities to reroute DNS traffic, which enables manin-the-middle attacks from across the Internet. Moreover, the threat displays out-of-the-ordinary network penetration capabilities compared to other router-based malware. Moose also has DNS hijacking capabilities and will kill the processes of other malware families competing for the limited resources offered by the infected embedded system. “Considering the rudimentary techniques Moose employs to gain access to other devices, it seems unfortunate that the security of embedded devices is not taken more seriously by vendors. We hope that our efforts will help them to better understand how malicious actors are targeting their devices,” concludes Bilodeau.