Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28’s MooBot Threat

February 28, 2024NewsroomFirmware Security / Vulnerabilities

MooBot Threat

In a new joint advisory, cybersecurity and intelligence agencies from the US and other countries are urging Ubiquiti EdgeRouter users to take protective measures, weeks after a botnet consisting of infected routers were hacked by law enforcement as part of an operation codenamed Dying Ember.

The botnet, named MooBot, is said to be used by a Russian-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for subsequent exploits. APT28, affiliated with Russia’s Main Directorate of the General Staff (GRU), has been known to be active since 2007.

APT28 actors “used compromised EdgeRouters around the world to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” authorities said. . SAYS (PDF).

Adversary use of EdgeRouters begins in 2022, with attacks targeting the aerospace and defense, education, energy and utilities, government, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic. , Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, UAE, and US


MooBot attacks include targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 gaining access to deliver bash scripts and others more ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.

It includes Python scripts to upload account credentials belonging to specific targeted webmail users, collected through cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

APT28 is also involved in exploiting CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that enables stealing NT LAN Manager (NTLM) hashes and mounting a relay attack without requiring any user interaction.

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines that use compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

“With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unrestricted access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” the agencies said.


Organizations are recommended to perform a hardware factory reset on routers to flush file systems of malicious files, upgrade to the latest firmware version, change default credentials, and -implement firewall rules to prevent exposure to remote management services.

The revelations are a sign that nation-state hackers are increasingly using routers as a launchpad for attacks, using them to create botnets such as VPNFilter, Cyclops Blink, and KV-botnet and conduct their malicious activities.

The bulletin came a day after the Five Eyes countries called APT29 – the threat group affiliated with Russia’s Foreign Intelligence Service (SVR) and the entity behind the attacks on SolarWinds, Microsoft, and HPE – for using service accounts and dormant accounts to access the cloud around target organizations.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment