A botnet known as TheMoon, previously thought to be inactive, has resurfaced and is now enslaving end-of-life small home/small office routers and IoT devices to power a criminal proxy service called Faceless. This proxy service, detailed by security journalist Brian Krebs, allows malicious actors to conceal their true origins by routing their traffic through compromised systems advertised on the service. The infrastructure backing Faceless has been used by malware operators to connect to their command-and-control servers and hide their IP addresses.
The malicious activity was first observed by Lumen Technologies in late 2023, with the goal of breaching end-of-life SOHO routers and IoT devices to deploy an updated version of TheMoon and enroll the botnet into Faceless. The attacks involve dropping a loader responsible for fetching an ELF executable from a C2 server, as well as configuring iptables rules to proxy traffic from the infected device to the internet on behalf of a user. The malware also attempts to contact legitimate NTP servers to determine internet connectivity.
The targeting of end-of-life appliances for the botnet is deliberate, as these devices are no longer supported by the manufacturer and are vulnerable to security flaws over time. Analysis of the proxy network shows that infections can last for extended periods, with over 30% lasting for more than 50 days. Faceless has become a significant tool for cyber criminals to obfuscate their activity, with TheMoon being the primary supplier of bots for the proxy service.
The Faceless proxy service, which costs less than a dollar per day, has grown to over 40,000 bots from 88 countries in early 2024. The majority of infected hosts are located in the U.S. and are used for activities such as password spraying and data exfiltration, particularly targeting the financial sector. The Black Lotus Labs team at Lumen Technologies has been monitoring the activity of TheMoon and Faceless, highlighting the ongoing threat posed by these malicious operations.
Source link