IoT

TheMoon Botnet Targets EOL Devices to Grow Faceless Proxy Service

By Business OutstandersPUBLISHED: April 3, 17:03UPDATED: April 3, 17:05
Botnet

A botnet previously considered inactive has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless. 

"TheMoon, which emerged in 2014, has been operating covertly while growing to over 40,000 bots from 88 countries in January and February of 2024," said the Black Lotus Labs team at Lumen Technologies. 

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that has offered its anonymity services to other threat actors for a nominal fee of less than one dollar per day. This allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins. 

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses. 

A majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S. 

Lumen observed the malicious activity in late 2023, with the goal being to breach EoL SOHO routers and IoT devices and deploy an updated version of TheMoon, ultimately enrolling the botnet into Faceless. The attacks entail dropping a loader responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called ".sox" used to proxy traffic from the bot to the internet on behalf of a user. 

In addition, the malware configures rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers, likely to determine if the infected device has internet connectivity and is not being run in a sandbox. The targeting of EoL appliances to fabricate the botnet is no coincidence, as they are no longer supported by the manufacturer and become susceptible to security vulnerabilities over time. It's also possible that the devices are infiltrated by means of brute-force attacks. 

Additional analysis of the proxy network has revealed that more than 30% of the infections lasted for over 50 days, while about 15% of the devices were part of the network for 48 hours or less.

"Faceless has become a formidable proxy service that rose from the ashes of the 'iSocks' anonymity service and has become an integral tool for cyber criminals in obfuscating their activity," said the company. "TheMoon is the primary, if not the only, supplier of bots to the Faceless proxy service."

 

Related