The Black Lotus Labs team at Lumen Technologies has uncovered a widespread and multi-year cyber campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and Internet of Things (IoT) devices. This campaign is associated with an updated version of the notorious malware called “TheMoon” , previously thought to have been neutralized.

TheMoon malware, first spotted in 2014, has resurfaced once again, amassing over 40,000 bots across 88 countries by January and February of 2024, with the majority of these bots being the foundation of a notorious, cybercriminal-focused proxy service, known as Faceless, known to be used by operators of other notorious botnets like SolarMarker and IcedID. The latest findings indicate that TheMoon is facilitating Faceless' growth at a rate of nearly 7,000 new users per week.

A recent campaign detected in early March 2024 targeted over 6,000 ASUS routers in less than 72 hours, the researchers said.

In late 2023, Black Lotus Labs uncovered suspicious activity among SOHO/IoT devices communicating with tens of thousands of distinct IP addresses weekly. Further investigation led to the discovery of a new variant of TheMoon malware.

The malware primarily targets EoL devices, exploiting known vulnerabilities in firmware or employing brute-force attacks.

Once compromised, the malware initiates a multi-step process to establish control over the device. Initially, a lightweight loader file is deployed, followed by the execution of a payload named ".nttpd."

This payload creates a PID file and configures iptables rules to secure the compromised device. The malware then attempts to contact legitimate NTP servers to evade detection before connecting with the command-and-control (C2) server to receive further instructions.

In some instances, the C2 may command the malware to retrieve additional components, such as a worm module or ".sox" files for proxying traffic.

The researchers believe that TheMoon is the singular botnet that powers Faceless, however, not every infected bot is included in the Faceless ecosystem. The role of the 7,000 bots remaining with TheMoon, and how they interact within these two larger ecosystems, still remain unknown, the team noted.