A new variant of the notorious “TheMoon” malware botnet has been detected, targeting thousands of outdated small office and home office (SOHO) routers and IoT devices across 88 countries. This malware, associated with the “Faceless” proxy service, utilizes infected devices as proxies to anonymize cybercriminals’ activities.
Black Lotus Labs researchers have observed a rapid increase in infections, with 6,000 ASUS routers targeted in under 72 hours during the recent campaign that commenced in early March 2024. The threat analysts note that cybercrime operations like IcedID and SolarMarker are currently leveraging this proxy botnet to conceal their online actions.
TheMoon malware, initially identified in 2014, has resurfaced with a renewed vigor, primarily targeting ASUS routers. While the exact method of breaching these routers is unspecified, it is likely that attackers exploit known vulnerabilities in end-of-life firmware versions. Alternatively, attackers may employ brute-force attacks to compromise devices with default or weak credentials.
Once infiltrated, the malware executes a series of actions, including checking for compatible shell environments, dropping and executing a payload, setting up iptables rules to secure the compromised device, and attempting to establish communication with a command and control (C2) server.
The Faceless proxy service, associated with TheMoon, routes network traffic through compromised devices for cybercriminals who pay in cryptocurrencies. To protect their infrastructure from detection, Faceless operators ensure that each infected device communicates with only one server throughout the infection duration.
To mitigate the risk of infection, users are advised to strengthen admin passwords, update device firmware, and replace end-of-life devices with actively supported models. Signs of router or IoT device infection include connectivity issues, overheating, and suspicious setting changes.
While TheMoon and Faceless operations share a connection, not all malware infections contribute to the Faceless proxying botnet. Vigilance and proactive security measures are crucial in defending against such cyber threats.
Leave a Reply