A recent report by Black Lotus Labs, a security research team at Lumen Technologies, has revealed a multi-year campaign aimed at vulnerable small home/small office (SOHO) routers. This campaign exploits an upgraded iteration of the notorious malware strain known as “TheMoon.”


Since its inception in 2014, TheMoon malware has consistently exploited vulnerabilities in routers and Internet of Things (IoT) devices. However, this recent campaign seems exceptionally pervasive, as it has infected devices in 88 countries.


The Black Lotus Labs report, titled “The Darkside Of TheMoon,” indicates that the attackers concentrated mainly on end-of-life (EoL) routers, which are devices no longer receiving security updates from the manufacturer. ASUS routers bore the brunt of this focus, with over 6,000 infections occurring within a mere 72-hour period in early March 2024.


The attackers seem to aim at establishing an extensive network of compromised devices. By infiltrating routers and IoT devices, they enlist them into a service dubbed “Faceless.” This service functions as a proxy, enabling malicious actors to obscure their online actions. Such anonymity poses challenges in tracing the origins of cyberattacks and other illicit operations.


“The attackers behind Faceless are using the botnets from this malware to create an anonymous proxy network by abusing outdated and unsupported routers to run their criminal networks,” said Mark Dehus, senior director of threat intelligence at Lumen Black Lotus Labs. “We believe these cybercriminals are using these networks to steal data and information from their victims, including the financial sector.”


The selection of EoL appliances as targets for building the botnet is no coincidence, as these devices lack manufacturer support and gradually become vulnerable to security risks. Additionally, they may be compromised through brute-force attacks.


Further examination of the proxy network indicates that over 30 percent of the infections persisted for more than 50 days, while approximately 15 percent of the devices remained within the network for 48 hours or less.


Black Lotus Labs believes TheMoon is the main or sole provider of bots to Faceless. This proxy service gives its users the chance to impersonate a legitimate user in a chosen country. Faceless doesn’t require customer identification. This allows users to stay anonymous as they send malicious traffic through the routers attempting to steal valuable data.

“TheMoon malware is a serious threat not only to the owners of the compromised SOHO devices, but also the victims exploited through this anonymous proxy network,” Dehus cautions. Users are urged to update and secure their devices to prevent them from becoming part of these malicious networks, he added.


Strategies for Prevention and Mitigation


Installing security contractors can advise their consumer and commercial clients to take these steps to protect their routers from cybercriminals:


  • Reboot: Consumers who use SOHO routers should regularly reboot their devices and install security updates and patches when available.
  • Update old routers: Consumers and business should replace end-of-life devices with vendor-supported models to help ensure security updates are in place.


IT professionals can take these steps:


  • Install protection: Remote workers can invite threats to a company network. Install Web Application Firewalls to protect company assets from communicating with bots.
  • Monitor activity: Look for suspicious login attempts, even those that come from residential IP addresses.
  • Encrypt data: Use the latest cryptographic protocols, such as TLS (Transport Layer Security) to encrypt data sent over the internet. This helps secure email and website services.

According to Lumen, this is not the first instance of infected devices being enrolled into a proxy service, and it is a growing trend. The company said it suspects that with the increased attention paid to the cybercrime ecosystem by both law enforcement and intelligence organizations, criminals are looking for new methods to obscure their activity.