March 26, 2024 at 11:05AM
A new variant of “TheMoon” malware botnet has infected thousands of outdated SOHO routers and IoT devices in 88 countries. Linked to the “Faceless” proxy service, it’s utilized by cybercriminals to anonymize their activities. Black Lotus Labs observed it targeting over 6,000 ASUS routers in less than 72 hours. Common signs of infection include connectivity issues and suspicious setting changes.
The meeting notes outline the emergence of a new variant of “TheMoon” malware botnet, which is infecting thousands of outdated small office and home office (SOHO) routers and IoT devices in 88 countries. The botnet is linked to the “Faceless” proxy service, which routes traffic for cybercriminals to anonymize their activities.
The latest campaign targeting ASUS routers has seen nearly 7,000 devices infected in a week, with Black Lotus Labs reporting that the malware primarily targets end-of-life ASUS routers. The attackers are leveraging known vulnerabilities in the firmware, as well as potentially brute-forcing admin passwords or exploiting default and weak credentials to gain access.
Once the malware infects a device, it sets up iptables rules to secure the compromised device from external interference, checks for sandbox environments, communicates with a list of legitimate NTP servers, and connects with the command and control (C2) server via a set of hardcoded IP addresses.
The Faceless proxy service, which routes network traffic through compromised devices for customers who pay exclusively in cryptocurrencies, does not utilize a verification process, making it available to anyone. Black Lotus Labs reports that one-third of the infected devices last over 50 days, while 15% are lost in under 48 hours.
To defend against these botnets, it’s recommended to use strong admin passwords, upgrade device firmware to the latest version, and replace end-of-life devices with actively supported models. Common signs of malware infection on routers and IoTs include connectivity problems, overheating, and suspicious setting changes.