Infosec Watchtower Logo

Resurgence of TheMoon Botnet: Powering Faceless Proxy Service with Hijacked IoT Devices

Charles M. Walls | March 29, 2024 | Views: 211

A digital artwork depicting a shadowy figure controlling a network of interconnected devices, including routers and IoT gadgets.

A once-dormant botnet has resurged, hijacking outdated home and office routers along with IoT gadgets to power a nefarious proxy service known as Faceless.

In 2024, TheMoon botnet, first identified in 2014, has stealthily expanded its reach. By January and February, it amassed over 40,000 bots from 88 countries, reports from Lumen Technologies' Black Lotus Labs indicate.

Faceless, exposed by cybersecurity reporter Brian Krebs in April 2023, offers a low-cost, malicious residential proxy service, charging under a dollar daily. This service enables its users to mask their nefarious online activities through an extensive network of compromised devices, hiding their true digital footprints.

Notably, Faceless's network has been leveraged by cybercriminals deploying malware like SolarMarker and IcedID, facilitating anonymous connections to command and control servers and disguising their IP addresses.

The primary use of these hijacked devices includes password guessing attacks and data theft, especially targeting the financial industry. Alarmingly, over 80% of these compromised devices are located within the U.S.

Lumen's Black Lotus Labs uncovered this malicious wave in late 2023, aiming to infiltrate outdated small office/home office routers and IoT devices. The attackers deploy a newer version of TheMoon botnet to incorporate these devices into the Faceless service.

The technique involves deploying a loader to download a specific executable file from a control server. This file not only spreads the malware further but also includes a module to reroute traffic from the infected device to the web, masking the user's identity.

Moreover, the malware manipulates firewall rules to block certain incoming traffic and ensure communication with legitimate NTP servers, likely to verify internet connectivity and avoid detection in a virtual environment.

The focus on exploiting end-of-life devices, which lack manufacturer support and are vulnerable to attacks, highlights the strategic targeting by cybercriminals. These devices are often compromised through brute force attacks.

Further investigations into the proxy network disclosed that over 30% of these infections persisted beyond 50 days, with approximately 15% lasting less than 48 hours.

Faceless has evolved into a critical tool for cybercriminals, seeking to hide their tracks online. It emerged from the remnants of a previous anonymity service, iSocks, becoming a vital asset for illicit online activities. TheMoon botnet stands as a key, if not sole, contributor to the Faceless proxy service's arsenal of bots.

Source of Inspiration