TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service
Bleeping Computer – Bill Toulas
A new variant of the “TheMoon” malware botnet has been discovered infecting thousands of outdated small office and home office (SOHO) routers and IoT devices in 88 countries
The malware is linked to the “Faceless” proxy service, which uses some of the infected devices as proxies for cybercriminals to anonymize their malicious activities
Key points:
Black Lotus Labs researchers observed 6,000 ASUS routers being targeted in under 72 hours during the latest TheMoon campaign, which started in early March 2024
Malware operations such as IcedID and SolarMarker currently use the Faceless proxy botnet to obfuscate their online activity
TheMoon targets vulnerabilities in end-of-life ASUS routers, likely by exploiting known vulnerabilities in the firmware, brute-forcing admin passwords, or testing default and weak credentials
Once the malware gains access to a device, it sets up iptables rules, contacts NTP servers to detect sandbox environments, and connects with the command and control (C2) server for instructions
Faceless is a cybercrime proxy service that routes network traffic through compromised devices for customers who pay exclusively in cryptocurrencies
One-third of the infections last over 50 days, while 15% are lost in under 48 hours, indicating varying levels of monitoring and detection
To defend against these botnets, users should use strong admin passwords, upgrade device firmware, and replace end-of-life devices with actively supported models
Common signs of malware infection on routers and IoTs include connectivity problems, overheating, and suspicious setting changes.
Link: https://www.bleepingcomputer.com/news/security/themoon-malware-infects-6-000-asus-routers-in-72-hours-for-proxy-service