A botnet previously thought to have become inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to power a criminal agent service called Faceless.
Lumen Technologies’ Black Lotus Labs team said: “TheMoon emerged in 2014 and has been quietly operating while growing to more than 40,000 bots from 88 countries in January and February 2024.”
Faceless, a malicious residential proxy service detailed in April 2023 by security reporter Brian Krebs, provides anonymity to other threat actors for a negligible fee of less than $1 per day.
In doing so, it allowed customers to route their malicious traffic through the tens of thousands of compromised systems exposed on the service, effectively hiding its true origin.
According to the assessment, the infrastructure supported by Faceless is used by malware operators such as SolarMarker and IcedID to connect to their command and control (C2) servers in order to obfuscate their IP addresses.
Having said that, most bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with over 80% of infected hosts located in the United States
Lumen said it first observed malicious activity in late 2023 that targeted compromising EoL SOHO routers and IoT devices, deployed a newer version of TheMoon, and ultimately registered the botnet into Faceless.
These attacks require the removal of the loader responsible for obtaining the ELF executable from the C2 server. These include a worm module that spreads itself to other vulnerable servers, and another file called “.sox” that is used to represent user-agent traffic from the bot to the internet.
Additionally, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact NTP servers in a list of legitimate NTP servers, possibly determining whether the infected device has a network connection and is not operating in a sandbox.
It’s no coincidence that botnets target EoL devices, as they are no longer supported by their manufacturers and become vulnerable to security vulnerabilities over time. It is also possible that these devices were penetrated through a brute force attack.
Further analysis of the proxy network revealed that more than 30% of infections lasted more than 50 days, while approximately 15% of devices remained in the network for 48 hours or less.
“Faceless has emerged as a powerful proxy service, emerging from the ashes of the ‘iSocks’ anonymity service and becoming an indispensable tool for cybercriminals to obfuscate their activities,” the company said. “TheMoon is Faceless The major, if not the only, supplier of agency service robots.”
1 Comment
Pingback: TheMoon botnet resurfaces, using EoL devices to support criminal agents – Tech Empire Solutions