ESET researchers share takeaways from cooperative investigation of the Linux/Moose malware family

First detected by ESET Virus Radar in March 2015, Linux/Moose initially operated as a remotely controlled backdoor targeting Linux based consumer routers. As presented in an ESET whitepaper on the topic in 2015, the malware can also infect other Linux-based embedded systems in its path with compromised devices stealing unencrypted network traffic and offer proxying services to botnet operators.

Over the last year Linux/Moose malware has evolved further. To better understand the changes, GoSecure investigated the social media fraud aspect to shed light on an unknown market they called “The Ego Market”, while ESET researchers focused on technical changes to the Moose variants.

One of the key differences noticed with the new sample was the lack of a command and control (C&C) IP address hardcoded in the malware. In the new version this is given as an encrypted command line argument. This new feature implies that the sample can no longer run without our test machines being compromised by an embedded device spreading the threat in-the-wild in order to retrieve the C&C IP address.

Ultimately, the changes discussed in today’s WLS Blogpost mean that Linux/Moose’s authors have worked hard to stay under the radar.

For a deeper look at what’s new with Linux/Moose, have a look at today’s blog post at