New study shows a reemerged botnet attacking outdated devices

Recent research conducted by the Black Lotus Labs team at Lumen Technologies has uncovered ongoing efforts to target end-of-life (EoL) and IoT devices. A key focus of this campaign is on small home and small office routers, with the use of an updated version of malware known as TheMoon.

John Bambenek, President at Bambenek Consulting, highlights the challenge posed by the lack of automatic updates for various devices. He notes, “Consumers tend to use devices for extended periods, leading to a vulnerability when manufacturers fail to prioritize regular security updates. This creates an opportunity for criminals to exploit infected devices for cybercrime.”

TheMoon malware first appeared in 2014 and has continued to operate discreetly since then. By January 2024, it had amassed over 40,000 bots spread across 88 countries. Many of these bots are utilized to support a cybercriminal-focused proxy service known as Faceless.

Faceless is a malicious service that offers anonymity services to cybercriminals at a low cost. Users of Faceless can divert their online traffic through this service to conceal their identities.

Jason Soroko, Senior Vice President of Product at Sectigo, comments on the vulnerability of routers and networking equipment to password-based attacks. He notes the lack of strong authentication methods and highlights the use of proxy networks for concealing command and control (C2) traffic. This development underscores the successful efforts to de-anonymize Tor and VPN traffic, exposing attackers using such networks.