Software: MoonWind

From enterprise
Jump to: navigation, search
MoonWind
Software
ID S0149
Aliases MoonWind
Type Malware

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.1

Techniques Used

  • New Service - MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.1
  • Data Staged - MoonWind saves information from its keylogging routine as a .zip file in the present working directory.1
  • Commonly Used Port - MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.1
  • Scripting - MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.1