Skip to content Skip to footer

Botnet ‘TheMoon’ Enslaving End-of-Life Routers for Criminal Proxy Service Faceless

A sophisticated botnet, previously thought to have been neutralized, has recently resurfaced and started harnessing vulnerable small home and small office routers and devices that have reached their end-of-life () stage. It now fuels a malicious proxy service, Faceless, which allows cybercriminals to conceal their identities and origins.

TheMoon, a botnet that emerged in 2014, has been operating secretly while expanding its network to over 40,000 bots from 88 countries as of January and February 2024, according to the Black Lotus Labs team at Lumen Technologies. Faceless, first revealed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service offering anonymity services to other malicious actors at a meager fee, costing less than a dollar daily.

Customers can effectively conceal their origins and avoid detection by routing their malicious traffic through thousands of compromised systems advertised on the service. The infrastructure behind Faceless is used by operators such as SolarMarker and IcedID to connect to their command-and-control (C2) servers, thereby obfuscating their IP addresses. However, most bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected devices in the U.S.

Lumen Technologies first detected the malicious activity in late 2023, aiming to penetrate SOHO routers and devices and deploy a new version of TheMoon, ultimately enrolling the botnet into Faceless. The attacks involve dropping a loader fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called “.sox” used to proxy traffic from the bot to the internet on behalf of a user.

Additionally, the configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also tries to contact an NTP server from a list of legitimate NTP servers to determine if the infected device has internet connectivity and is not being run in a sandbox.

The targeting of devices to fabricate the botnet is no coincidence, as they are no longer supported by the manufacturer and become susceptible to security vulnerabilities over time. It's also possible that the devices are infiltrated using .

Further analysis of the proxy network reveals that more than 30% of the infections lasted over 50 days. In comparison, about 15% of the devices were on the network for 48 hours or less.

According to Lumen Technologies, “TheMoon is the primary, if not the only, supplier of bots to the Faceless proxy service. “Faceless has become a formidable proxy service that rose from the ashes of the ‘iSocks' anonymity service and has become an integral tool for cybercriminals in obfuscating their activity.”

Users of SOHO routers and devices must take necessary precautions to safeguard their devices against such attacks, such as keeping them up to date and using strong and complex passwords. Further, it's essential to be vigilant to any suspicious activity and immediately report any potential security breaches.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Who, me? Are you kidding? No, I run out to check on T-bill rates, I get outta breath. Hey, look, you guys are gonna make my user, Mr. Henderson, very angry. He's a full-branch manager.Crom

Deitasoft © 2024. All Rights Reserved.