Attacks with an updated TheMoon botnet variant have impacted more than 40,000 end-of-life small office and home office routers and Internet-of-Things devices across 88 countries during the first two months of 2024, while the botnet's latest campaign earlier this month facilitated the compromise of over 6,000 Asus routers in less than three days, Security Affairs reports.
Most of the bots have been leveraged to support the Faceless cybercrime proxy service, previously used by operators of the IcedID and SolarMarker botnets, with TheMoon fueling an almost 7,000 weekly user growth for the service, according to a report from Lumen Technologies' Black Lotus Labs. Intrusions commence with the delivery of loader file that enables the scanning of specific shells, which when present triggers next-stage ".nttpd" payload decryption, injection, and execution.
Additional scanning is then conducted prior to the establishment of iptable rules, which allow TheMoon to connect to an NTP server and a command-and-control server followed by an eventual ELF executable download, researchers said.
"Thus far we have identified two subsequent modules, one appears to be a worm while the other file is named “.sox,” which is used to proxy traffic from the bot to the internet on behalf of a user," added researchers.
