A new iteration of "TheMoon" malware botnet has emerged, targeting numerous outdated small office and home office (SOHO) routers and Internet of Things (IoT) devices in 88 countries. This variant of TheMoon is associated with the "Faceless" proxy service, utilizing infected devices to serve as proxies for cybercriminals seeking to anonymize their malicious activities.
Researchers from Black Lotus Labs, who have been monitoring the latest TheMoon campaign since its inception in early March 2024, have noted a significant uptick in infections. In under 72 hours, they observed the targeting of 6,000 ASUS routers. The threat analysts also highlight that other malware operations such as IcedID and SolarMarker are currently leveraging the proxy botnet to obscure their online activities.
TheMoon malware first surfaced in 2014, initially exploiting vulnerabilities to infect LinkSys devices. However, its latest campaign has expanded its reach, infecting nearly 7,000 devices in just one week, with ASUS routers being the primary target.
According to Black Lotus Labs researchers, who utilized Lumen's global network visibility, the logical map of the Faceless proxy service has been identified. This included a campaign that specifically targeted over 6,000 ASUS routers within the first week of March 2024.
Although the exact method used to breach the ASUS routers is not specified, attackers likely exploited known vulnerabilities in the firmware of end-of-life device models. Additionally, attackers may have resorted to brute-forcing admin passwords or exploiting default and weak credentials.
Once the malware infiltrates a device, it checks for specific shell environments and executes a payload named ".nttpd," which creates a PID file with a version number. The malware then sets up iptables rules to secure the compromised device from external interference and attempts to contact legitimate NTP servers to verify internet connectivity.
Furthermore, Faceless, the cybercrime proxy service associated with TheMoon, routes network traffic through compromised devices, primarily catering to customers who exclusively pay in cryptocurrencies. To evade detection by researchers, Faceless operators ensure that each infected device communicates with only one server for the duration of the infection.
While there is a clear connection between TheMoon and Faceless, the two operations seem to function as separate cybercrime ecosystems, as not all malware infections become part of the Faceless proxying botnet.
To defend against such botnets, users are advised to employ strong admin passwords and regularly update their device's firmware to address known vulnerabilities. In cases where devices have reached End-of-Life (EOL) status, they should be replaced with actively supported models.
Common indicators of malware infection on routers and IoT devices include connectivity issues, overheating, and suspicious alterations to device settings.