Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Facebook X (Twitter) Instagram
    Tech Empire Solutions
    • Home
    • Cloud
    • Cyber Security
    • Technology
    • Business Solution
    • Tech Gadgets
    Tech Empire Solutions
    Home » TheMoon botnet resurfaces, using EoL devices to support criminal agents
    Cyber Security

    TheMoon botnet resurfaces, using EoL devices to support criminal agents

    techempireBy techempire1 Comment3 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email

    ReportMarch 29, 2024Editorial DepartmentCyber ​​Security/IoT Security

    Moon Botnet

    A botnet previously thought to have become inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to power a criminal agent service called Faceless.

    Lumen Technologies’ Black Lotus Labs team said: “TheMoon emerged in 2014 and has been quietly operating while growing to more than 40,000 bots from 88 countries in January and February 2024.”

    Faceless, a malicious residential proxy service detailed in April 2023 by security reporter Brian Krebs, provides anonymity to other threat actors for a negligible fee of less than $1 per day.

    Internet security

    In doing so, it allowed customers to route their malicious traffic through the tens of thousands of compromised systems exposed on the service, effectively hiding its true origin.

    According to the assessment, the infrastructure supported by Faceless is used by malware operators such as SolarMarker and IcedID to connect to their command and control (C2) servers in order to obfuscate their IP addresses.

    Having said that, most bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with over 80% of infected hosts located in the United States

    Lumen said it first observed malicious activity in late 2023 that targeted compromising EoL SOHO routers and IoT devices, deployed a newer version of TheMoon, and ultimately registered the botnet into Faceless.

    Moon Botnet

    These attacks require the removal of the loader responsible for obtaining the ELF executable from the C2 server. These include a worm module that spreads itself to other vulnerable servers, and another file called “.sox” that is used to represent user-agent traffic from the bot to the internet.

    Additionally, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact NTP servers in a list of legitimate NTP servers, possibly determining whether the infected device has a network connection and is not operating in a sandbox.

    Internet security

    It’s no coincidence that botnets target EoL devices, as they are no longer supported by their manufacturers and become vulnerable to security vulnerabilities over time. It is also possible that these devices were penetrated through a brute force attack.

    Further analysis of the proxy network revealed that more than 30% of infections lasted more than 50 days, while approximately 15% of devices remained in the network for 48 hours or less.

    “Faceless has emerged as a powerful proxy service, emerging from the ashes of the ‘iSocks’ anonymity service and becoming an indispensable tool for cybercriminals to obfuscate their activities,” the company said. “TheMoon is Faceless The major, if not the only, supplier of agency service robots.”

    Did you find this article interesting?follow us Twitter  and LinkedIn to read more exclusive content from us.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    techempire
    • Website

    Related Posts

    Ongoing campaign bombards businesses with spam emails and phone calls

    6 common mistakes organizations make when deploying advanced authentication

    New Chrome zero-day vulnerability CVE-2024-4761 is being actively exploited

    Microsoft patches 61 flaws, including two actively exploited zero-day vulnerabilities

    Dutch court sentences Tornado Cash co-founder to 5 years in prison for money laundering

    Migrate from VMware vSphere to Microsoft Azure

    Leave A Reply Cancel Reply

    Top Reviews
    Editors Picks

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Mr. Meowski’s Bakery To Re-Locate In St. Charles MO

    Legal Pages
    • About Us
    • Disclaimer
    • DMCA
    • Privacy Policy
    Our Picks

    Gateway Studios High-Tech Recording Studio To Open In Chesterfield, Missouri

    Edufox

    Emerging Academic Education Platforms – Sponsored By Edufox

    Top Reviews

    Type above and press Enter to search. Press Esc to cancel.