A previously considered inert botnet has been observed enslaving small home/small office (SOHO) routers and end-of-life IoT devices to power a criminal proxy service called Faceless.
“TheMoon, which emerged in 2014, has been quietly growing to over 40,000 bots from 88 countries in January and February of 2024,” said the Black Lotus Labs team at Lumen Technologies.
Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that offers its anonymity services to other threat actors for a negligible fee that costs less than a dollar a day.
By doing so, it allows customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively hiding their true origin.
It has been assessed that the infrastructure supported by Faceless is used by malware operators such as SolarMarker and IcedID to connect to their command and control (C2) servers to obfuscate their IP addresses.
That said, the majority of bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with over 80% of infected hosts located in the United States
Lumen said it first observed the malicious activity in late 2023, aiming to breach SOHO EoL routers and IoT devices and deploy an updated version of TheMoon and ultimately register the botnet in Faceless.
The attacks involve deleting a loader responsible for retrieving an ELF executable from a C2 server. This includes a worm module that spreads to other vulnerable servers and another file called “.sox” used to forward traffic from the bot to the Internet on behalf of a user.
Additionally, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely attempt to determine whether the infected device has Internet connectivity and is not running in a sandbox.
The fact that EoL devices were targeted to manufacture the botnet is no coincidence, as they are no longer supported by the manufacturer and over time become susceptible to security vulnerabilities. It is also possible for devices to be infiltrated via brute force attacks.
Further analysis of the proxy network revealed that more than 30% of infections lasted more than 50 days, while approximately 15% of devices remained in the network for 48 hours or less.
“Faceless has become a formidable proxy service born from the ashes of the anonymity service ‘iSocks’ and has become an integral tool for cybercriminals to obfuscate their activity,” the company said. “TheMoon is the leading, if not only, bot provider for the Faceless proxy service.”