TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

March 29, 2024 at 09:09AM

In March 2024, a dormant botnet, TheMoon, was found controlling EoL routers and IoT devices to power a criminal proxy service named Faceless. The service allows malicious activities to remain anonymous and has been used by threats like SolarMarker and IcedID to connect to their C2 servers. The majority of infected hosts are in the U.S.

Key takeaways from the meeting notes:
– A botnet called TheMoon, which had been thought inactive, has actually grown to over 40,000 bots from 88 countries by January and February of 2024 and is now part of a criminal proxy service called Faceless.
– The Faceless service allows malicious traffic to be routed through tens of thousands of compromised systems, concealing the true origins of the traffic.
– The botnet primarily targets end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, using them for password spraying and data exfiltration, especially targeting the financial sector, with a large number of the infected hosts located in the U.S.
– The attacks involve deploying an updated version of TheMoon to enroll the botnet into Faceless, with malware configuring iptables rules and attempting to contact NTP servers to determine internet connectivity.
– The use of EoL appliances to create the botnet is not coincidental, as these devices become susceptible to security vulnerabilities over time and are often infiltrated through brute-force attacks.

Would you like to explore any specific aspect of these meeting notes?

Full Article