Thursday, February 13, 2025
HomeCyber Security NewsThe Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Published on

SIEM as a Service

Follow Us on Google News

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and turning them into bots for the Faceless proxy service.

TheMoon bots grew to over 40,000 in early 2024 and enabled Faceless to gain nearly 7,000 new users weekly.

It identified a botnet targeting end-of-life SOHO/IoT devices in late 2023, which is a variant of the previously dormant TheMoon botnet, that infects devices and enrolls them in the Faceless residential proxy service. 

Logical Overview of Faceless Network

Faceless is a successor to the iSocks anonymity service and is popular among cybercriminals for anonymizing their activity, whereas the strong correlation between TheMoon bots and Faceless suggests TheMoon is the main supplier of bots for the Faceless proxy service. 

It mapped the Faceless network and observed a campaign targeting 6,000 ASUS routers within 3 days, while Lumen Technologies blocked traffic to/from Faceless and TheMoon infrastructure and released indicators of compromise to disrupt this operation.

An initial loader exploiting shell availability infects the device and then establishes persistence, sets firewall rules for specific IP ranges, and uses a spoofed NTP request to verify internet connectivity. 

Following a connection attempt to hardcoded IPs and a potential check-in packet, the malware retrieves a secondary payload (worm or proxy) based on instructions from the C2 server. 

Check-in packet from debugger on the left and packet capture on the right
Check-in packet from debugger on the left and packet capture on the right

The Worm Module spreads by exploiting vulnerable web servers and downloading additional modules and the .sox file. Upon execution, it checks for updates, establishes a connection with the Faceless C2 server, and reads Lumen reports.

 The .sox.twn file
 The .sox.twn file

If no update file is found, it uses a hardcoded IP address to connect, and upon receiving the update file, .sox extracts the C2 server address, initiates communication on a random port, and then sends additional scripts to update C2 information or removes traces of the malware, re

The investigation revealed a strong correlation between TheMoon botnet and the Faceless proxy service, where significant overlap between bots communicating with TheMoon and Faceless C2 servers has been observed.

Chart showing the delta between when an infected device communicates with a Moon and Faceless Server
Chart showing the delta between when an infected device communicates with a Moon and Faceless Server

Most new TheMoon bots contacted a Faceless C2 server within 3 days, and both services used the same communication port scheme and founded a Faceless C2 server directly communicating with a TheMoon C2 server, strongly suggesting TheMoon as the primary botnet feeding Faceless.  

Graphic showing the Moon Elf file hosted on a Faceless C2
Graphic showing the Moon Elf file hosted on a Faceless C2

Global Telemetry Analysis – Faceless

The Moon malware infects devices and communicates with its C2 server, as a subset of these devices are enrolled in the Faceless proxy network, where they receive instructions from Faceless C2s and route traffic through an intermediary server before reaching the final destination. 

Longevity of Faceless bots
Longevity of Faceless Bots

The network is particularly useful for bypassing geolocation and IP-based blocking, as analysis shows that while 30,000 bots communicate with TheMoon C2 weekly, only 23,000 connect to Faceless C2s, suggesting some devices interact with TheMoon but not Faceless. 

It has been suspected that the remaining bots might be used for credential stuffing or financial data exfiltration.

Interestingly, some long-lasting connections originate from known threat actor infrastructure, indicating they might be using Faceless for additional anonymity.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

BadPilot Attacking Network Devices to Expand Russian Seashell Blizzard’s Attacks

A newly uncovered cyber campaign, dubbed "BadPilot," has been linked to a subgroup of...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...