New variant of "TheMoon" malware enslaves thousands of insecure Asus routers into a malicious proxy

Internet insecurity: Modern cybercrime employs strategies similar to cloud or remote services, with commercial partnerships between different teams looking to achieve the same goal. The latest crimeware operation is designed to compromise routers and turn them into proxy bots.

Researchers at the Black Lotus Labs discovered a new malicious campaign involving an updated version of "TheMoon," a malware family first identified ten years ago. TheMoon's latest variant has seemingly been designed to compromise insecure home routers and other IoT devices, which are then exploited to route criminal traffic through a "commercial" proxy service known as Faceless.

TheMoon botnet has been operating "quietly" while compromising over 40,000 devices from 88 different countries in the first two months of 2024, Black Lotus analysts explain. A new campaign began in the first week of March, and it was seemingly focused on compromising Asus routers. In less than 72 hours, the malware had infected over 6,000 networking devices.

Black Lotus doesn't provide details about the methods used by the malware to infect routers. Criminals are likely exploiting known vulnerabilities to turn end-of-life devices into malicious bots. Once a router has been compromised, TheMoon looks for specific shell environments to execute its main malicious payload.

The payload is designed to routinely drop incoming TCP traffic on ports 8080 and 80, while allowing packets from specific IP ranges. After checking for sandbox environments (through NTP traffic) and verifying an internet connection, TheMoon attempts to connect to the command & control center and ask for instructions from the cybercriminals.

The malware can then download additional malicious components, including a worm-like module capable of scanning for vulnerable HTTP servers, as well as downloading .sox files that enable the compromised device to act like a proxy. Most of the Asus routers infected by the latest TheMoon variant have been mapped as bots belonging to Faceless, a known proxy service used by malware operations such as IcedID and SolarMarker.

Cybercriminals can employ Faceless to obfuscate their malicious traffic, paying in crypto for the service. Black Lotus researchers say that one-third of the infections last over 50 days, while 15 percent of them go offline in a couple days. TheMoon and Faceless seem to be two completely different criminal operations, though they now have a common interest to turn security vulnerabilities into a business opportunity.

Black Lotus says that users can defend against IoT threats by using strong passwords and upgrading their network device's firmware to the latest version available. End-of-life routers such the Asus ones targeted by TheMoon should, however, be replaced with newer, still supported models.