Malware analysis

MOOSE Malware: Basics

Security Ninja
June 23, 2015 by
Security Ninja

In this article series, we will learn about a famous Linux family of malware known as MOOSE, which is used to steal unencrypted traffic over the wire and infect other devices automatically. This malware steals HTTP cookies and performs non-legitimate "likes," "views" etc. on social networking sites. In the complete article series, we will learn about what this malware is, how it operates, some analysis, possible Indicators of Compromise (IOCs), and cleaning and prevention Strategies.

Please note that this is just a kind of introduction to MOOSE malware. More technical details about these articles will be covered in the Part 2 of this article.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is MOOSE malware?

Moose malware is a standards statically linked ELF binary which relies on multithreading for its operations and targets consumer routers and modems. This malware can eavesdrop on traffic flowing both inbound/outbound, which are located behind the infected router, laptops and even mobile phones. The main agenda of Moose is to spread quickly other than exploiting any other vulnerability. It mainly looks out for routers with weak/default credentials to replicate itself.

MOOSE Features

Following are the MOOSE features, which mainly pertain to MOOSE's functionality

  • MOOSE affects Linux-based embedded devices running on the MIPS and ARM architecture.
  • MOOSE has a proxy component also mainly HTTP and SOCKS.
  • It also targets the consumer routers provided by the ISPs. In addition, it can eaves drop on communications of devices behind the infected router.
  • It's mainly target is social networks and goal is to perform fraud at these social networking sites
  • It spreads with routers and modems that have very weak credentials.
  • It communicates with a C&C server and sends the traffic captured from eavesdropping.
  • To avoid NAT protections it can tunnel traffic from a relay C&C server to other hosts.
  • MOOSE malware contains two types of C&C servers:
    • Reporting C&C server: This C&C server will be used for reporting and Infection.
    • Relay C&C server: This C&C server is used for relay.
  • [download]

    MOOSE targets Social Networks?

    As we can see from the above capabilities, this type of malware can be used to perform any sort of attack like DDoS, DNS hijacking using MITM attacks etc., but this malware is specifically designed for performing frauds in social networks. This malware is made to steal the HTTP cookies from famous social networking sites:

    • Twitter: twll, twid
    • Google: SAPISID,APISID
    • Facebook: c_user
    • Youtube: LOGIN_INFO

    But the question is still unanswered. Why Social Networks?

    • Main success rate of this MOOSE malware is to steal the HTTP cookies. There were times when these social networking sites operate over HTTP, so this attack was much stealthier. Nowadays all these popular social networking sites like Google, Facebook, and Instagram operate over HTTPS, so this attack now in this respect won't work.
    • To commit fraud on these social networking sites, it needs a reputable IP address and for a social network site operator; there is probably nothing more reputable than IP addresses being issued by ISPs

    For this article, I am jumping directly to IoC of this particular malware. I will definitely cover the analysis part of this malware in the next part of this series.

    Indicators of Compromise (IoCs)

    Following are the IoC's for MOOSE. It will be categorized in two ways:

    • Host-based Indicators. Following are the Host Based Indicators:
      • Presence of a binary elan2 on the system and a process named elan2 running.
      • A process listening on
    • Network based indicators: Network based IoC are provided in a text file along with this article.
    • YARA rule: Using yara file named linux-moose.yar at github . moose files can be identified like below
      • yara –r linux-moose.yar dir/

    What else can MOOSE do?

    As we talked about earlier, MOOSE can be used to conduct specific types of other attacks as well:

    Become a certified reverse engineer!

    Become a certified reverse engineer!

    Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.
    • DDoS: This capability is not built in the MOOSE but can be conducted using SOCKS proxy
    • Network Recon: MOOSE can be used to explore the network as it has the capability to do NAT traversal. In addition, it has an integrated sniffer, which is configured by the C&C server.

    This covers an introduction of MOOSE. We will get into more technical details in the second part of this series.

    Security Ninja
    Security Ninja