A previously inactive botnet has resurfaced to use end-of-life small home/small office (SOHO) routers and IoT devices to power a malicious proxy service called Faceless.
“TheMoon, which emerged in 2014, has silently grown to over 40,000 bots from 88 countries in early 2024,” stated the Black Lotus Labs team at Lumen Technologies.
Security journalist Brian Krebs detailed Faceless in April 2023, describing it as a malicious residential proxy service used by cybercriminals to hide their online activities for a minimal fee.
By utilizing Faceless, threat actors can route their malicious traffic through compromised systems to conceal their identities, aiding malware like SolarMarker and IcedID in connecting to their command-and-control servers.
The majority of the infected devices are used for password spraying and data exfiltration, primarily targeting the financial sector with a significant number located in the U.S.
Lumen first detected this activity in late 2023, where the attackers aimed to infect EoL SOHO routers and IoT devices with TheMoon and integrate them into the Faceless proxy network.
The attack involves deploying a loader to fetch an ELF executable from a C2 server, spreading a worm module, and using a proxy file to hide the bot’s internet traffic on behalf of a user.
The malware also configures iptables rules and attempts to contact NTP servers to determine internet connectivity, focusing on EoL devices that are more vulnerable to attacks.
Further analysis revealed that over 30% of infections lasted more than 50 days, with 15% being part of the network for 48 hours or less.
According to Lumen, Faceless has become a crucial tool for cybercriminals to mask their activities, with TheMoon being a major supplier of bots for the service.
