After disappearing for several years, TheMoon has returned with a botnet army of around 40,000 botnets, made up of small stolen SOHO (Home and Office) devices and available for rent as a proxy service for cybercriminals looking to obscure origins of their traffic.
THE botnet for cybercrime The service, called Faceless, costs less than a dollar a day, according to researchers at Lumen Technologies’ Black Lotus Labs, who warn of TheMoon’s return after the malware group disappeared in 2019, before re-emerging on the scene in 2023 By early 2024, TheMoon had amassed bots from 88 countries to operate its Faceless service.
“We believe these cybercriminals [using Faceless] they are using these networks to steal data and information from their victims, including the financial sector,” Mark Dehus, senior director of threat intelligence at Lumen Black Lotus Labs, said in a statement.TheMoon malware poses a serious threat not only to owners of compromised SOHO devices, but also to victims exploited through this anonymous proxy network.”
John Gallagher, vice president of Viakoo Labs at Viakoo, noted that the types of endpoints TheMoon seeks to bring to the dark side are somewhat of a sitting duck.
“IoT devices are designed to be ‘set and forget,’ leading them to be favored by threat actors even if they are not end-of-life (likely unmanaged and out of date),” he said in a statement sent via email. “This is a much bigger problem for businesses than for consumers. Operators of IoT devices are often cost centers and there is an incentive not to replace equipment unless it is no longer functional. Companies offer vast fleets of IoT devices that threat actors can exploit for DDoS and other attack vectors.”