A multi-year campaign leveraging an updated version of “TheMoon” malware has been targeting end-of-life (EoL) small business routers and IoT devices via a cybercriminal proxy service known as "Faceless."
The Black Lotus Lab team at Lumen Technologies described in a March 26 blog post that they found that “TheMoon” malware, which first emerged in 2014, was operating quietly while growing to more than 40,000 bots from 88 countries by January and February of this year.
Black Lotus Labs first described “TheMoon” malware in 2019 and said it has entered a new phase. For their most recent post, the researchers identified at least one campaign by the Faceless criminal proxy service that began in the first week of March which targeted more than 6,000 ASUS routers in less than 72 hours.
The researchers said Faceless has been growing at a pace of 7,000 users per week and has become an ideal choice for cybercriminals seeking anonymity. The researchers said their telemetry found that this service has been used by operators of botnets such as SolarMarker and IcedID.
“This is not the first instance of infected devices being enrolled into a proxy service, and it's a growing trend,” wrote the researchers. “We suspect that with the increased attention paid to the cybercrime ecosystem by both law enforcement and intelligence organizations, criminals are looking for new methods to obfuscate their activity.”
John Gallagher, vice president of Viakoo Labs, said that IoT devices are designed to be “set-it-and-forget-it,” leading to their being favored by threat actors. So even if they are not EoL, they are likely unmanaged and not updated.
“This is a much bigger issue for enterprises than consumers,” explained Gallagher. “The operators of IoT devices are often cost centers, and have an incentive to not replace equipment unless it isn’t functional anymore. So, enterprises offer vast fleets of IoT devices for threat actors to leverage for DDoS and other attack vectors.”
The result: Gallagher said we now have vast botnet armies of infected IoT devices because there has never been a focus (or incentive) around bot eradication. He said organizations are told to focus on bot mitigation, but the problem has grown to the point where we need to give some focus to ridding devices of the malicious bots.
John Bambenek, president at Bambenek Consulting, added that as the industry has expanded the types of devices that have operating systems in them, it hasn’t kept up with the lessons learned from desktop and server computing: namely that automatic updates are the norm.
“This problem is exacerbated by organizations using devices for much longer periods of time than manufacturers want,” said Bambenek. “By using security updates as leverage for buying new products, the net result is infected devices that are used in cybercrime. Criminals have all the time in the world to be patient, they are already netting a strong cash flow and there are more infectable devices than they have time to exploit.”
Thomas Siu, chief information security officer at Inversion6, said the FBI’s announcement in February 2024 of its disruption of the APT28 attacks on Ubiquiti routers presents a similar case study to "TheMoon" malware. Although the Ubiquiti EdgeRouter products were not technically at EoL, their vulnerable state allowed them to be co-opted into use as botnet as Linux-based sensors, permitting them to collect user credentials, and proxy network traffic to hide their command-and-control signals.
“Users and small businesses need to assess the strength of their network systems, in particular knowing if their edge routers are over three years old, they are at higher risk of this level of compromise,” said Siu.