Wednesday, December 11, 2024
HomeCyber Security NewsThe Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Published on

SIEM as a Service

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and turning them into bots for the Faceless proxy service.

TheMoon bots grew to over 40,000 in early 2024 and enabled Faceless to gain nearly 7,000 new users weekly.

It identified a botnet targeting end-of-life SOHO/IoT devices in late 2023, which is a variant of the previously dormant TheMoon botnet, that infects devices and enrolls them in the Faceless residential proxy service. 

- Advertisement - SIEM as a Service
Logical Overview of Faceless Network

Faceless is a successor to the iSocks anonymity service and is popular among cybercriminals for anonymizing their activity, whereas the strong correlation between TheMoon bots and Faceless suggests TheMoon is the main supplier of bots for the Faceless proxy service. 

It mapped the Faceless network and observed a campaign targeting 6,000 ASUS routers within 3 days, while Lumen Technologies blocked traffic to/from Faceless and TheMoon infrastructure and released indicators of compromise to disrupt this operation.

An initial loader exploiting shell availability infects the device and then establishes persistence, sets firewall rules for specific IP ranges, and uses a spoofed NTP request to verify internet connectivity. 

Following a connection attempt to hardcoded IPs and a potential check-in packet, the malware retrieves a secondary payload (worm or proxy) based on instructions from the C2 server. 

Check-in packet from debugger on the left and packet capture on the right
Check-in packet from debugger on the left and packet capture on the right

The Worm Module spreads by exploiting vulnerable web servers and downloading additional modules and the .sox file. Upon execution, it checks for updates, establishes a connection with the Faceless C2 server, and reads Lumen reports.

 The .sox.twn file
 The .sox.twn file

If no update file is found, it uses a hardcoded IP address to connect, and upon receiving the update file, .sox extracts the C2 server address, initiates communication on a random port, and then sends additional scripts to update C2 information or removes traces of the malware, re

The investigation revealed a strong correlation between TheMoon botnet and the Faceless proxy service, where significant overlap between bots communicating with TheMoon and Faceless C2 servers has been observed.

Chart showing the delta between when an infected device communicates with a Moon and Faceless Server
Chart showing the delta between when an infected device communicates with a Moon and Faceless Server

Most new TheMoon bots contacted a Faceless C2 server within 3 days, and both services used the same communication port scheme and founded a Faceless C2 server directly communicating with a TheMoon C2 server, strongly suggesting TheMoon as the primary botnet feeding Faceless.  

Graphic showing the Moon Elf file hosted on a Faceless C2
Graphic showing the Moon Elf file hosted on a Faceless C2

Global Telemetry Analysis – Faceless

The Moon malware infects devices and communicates with its C2 server, as a subset of these devices are enrolled in the Faceless proxy network, where they receive instructions from Faceless C2s and route traffic through an intermediary server before reaching the final destination. 

Longevity of Faceless bots
Longevity of Faceless Bots

The network is particularly useful for bypassing geolocation and IP-based blocking, as analysis shows that while 30,000 bots communicate with TheMoon C2 weekly, only 23,000 connect to Faceless C2s, suggesting some devices interact with TheMoon but not Faceless. 

It has been suspected that the remaining bots might be used for credential stuffing or financial data exfiltration.

Interestingly, some long-lasting connections originate from known threat actor infrastructure, indicating they might be using Faceless for additional anonymity.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...