Black Lotus Labs discovered a new threat called Themoon, targeting Small Office Home Office (SOHO) and Internet of Things (IOT) management offices in 88 countries. The threat has infected nearly 7,000 ASUS routers.
Themoon is associated with the anonymous proxy service Faceless, which utilizes infected devices to route cybercriminals’ traffic in order to conceal their activities. Malicious campaigns such as ICEDID and Solarmarker are already using this network to mask their online actions.
During the campaign, approximately 7,000 devices per week were compromised, with ASUS routers being the primary target. It is likely that attackers exploited well-known vulnerabilities in firmware or brute force methods to access these devices.
Once inside a device, the malicious software sets up traffic filtering rules and attempts to communicate with the C2 server for further instructions. Some servers may deliver additional components to scan for vulnerable servers or proxy traffic.
Faceless is a proxy service catering to cybercriminals that operates without customer verification processes and only accepts cryptocurrency payments. To safeguard their infrastructure, Faceless operators restrict infected devices to communicate with a single server throughout the infection period.
Scheme of the proxy service Faceless
A study from Black Lotus Labs reveals that around 30% of infections persist for over 50 days, while 15% are detected and removed within 48 hours.
Life span of infected devices
Although Themoon and Faceless are interconnected, they are separate cybercrime ecosystems as not all infections are necessarily part of the Faceless botnet. To defend against such threats, it is advisable to use strong passwords and update device firmware regularly to address known vulnerabilities. Outdated devices that are no longer supported should be replaced with newer models. Warning signs of device infection include connectivity issues, overheating, and suspicious changes to settings.