Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and turning them into bots for the Faceless proxy service.

TheMoon bots grew to over 40,000 in early 2024 and enabled Faceless to gain nearly 7,000 new users weekly.

It identified a botnet targeting end-of-life SOHO/IoT devices in late 2023, which is a variant of the previously dormant TheMoon botnet, that infects devices and enrolls them in the Faceless residential proxy service. 

Logical Overview of Faceless Network

Faceless is a successor to the iSocks anonymity service and is popular among cybercriminals for anonymizing their activity, whereas the strong correlation between TheMoon bots and Faceless suggests TheMoon is the main supplier of bots for the Faceless proxy service. 

It mapped the Faceless network and observed a campaign targeting 6,000 ASUS routers within 3 days, while Lumen Technologies blocked traffic to/from Faceless and TheMoon infrastructure and released indicators of compromise to disrupt this operation.

An initial loader exploiting shell availability infects the device and then establishes persistence, sets firewall rules for specific IP ranges, and uses a spoofed NTP request to verify internet connectivity. 

Following a connection attempt to hardcoded IPs and a potential check-in packet, the malware retrieves a secondary payload (worm or proxy) based on instructions from the C2 server. 

Check-in packet from debugger on the left and packet capture on the right
Check-in packet from debugger on the left and packet capture on the right

The Worm Module spreads by exploiting vulnerable web servers and downloading additional modules and the .sox file. Upon execution, it checks for updates, establishes a connection with the Faceless C2 server, and reads Lumen reports.

 The .sox.twn file
 The .sox.twn file

If no update file is found, it uses a hardcoded IP address to connect, and upon receiving the update file, .sox extracts the C2 server address, initiates communication on a random port, and then sends additional scripts to update C2 information or removes traces of the malware, re

The investigation revealed a strong correlation between TheMoon botnet and the Faceless proxy service, where significant overlap between bots communicating with TheMoon and Faceless C2 servers has been observed.

Chart showing the delta between when an infected device communicates with a Moon and Faceless Server
Chart showing the delta between when an infected device communicates with a Moon and Faceless Server

Most new TheMoon bots contacted a Faceless C2 server within 3 days, and both services used the same communication port scheme and founded a Faceless C2 server directly communicating with a TheMoon C2 server, strongly suggesting TheMoon as the primary botnet feeding Faceless.  

Graphic showing the Moon Elf file hosted on a Faceless C2
Graphic showing the Moon Elf file hosted on a Faceless C2

Global Telemetry Analysis – Faceless

The Moon malware infects devices and communicates with its C2 server, as a subset of these devices are enrolled in the Faceless proxy network, where they receive instructions from Faceless C2s and route traffic through an intermediary server before reaching the final destination. 

Longevity of Faceless bots
Longevity of Faceless Bots

The network is particularly useful for bypassing geolocation and IP-based blocking, as analysis shows that while 30,000 bots communicate with TheMoon C2 weekly, only 23,000 connect to Faceless C2s, suggesting some devices interact with TheMoon but not Faceless. 

It has been suspected that the remaining bots might be used for credential stuffing or financial data exfiltration.

Interestingly, some long-lasting connections originate from known threat actor infrastructure, indicating they might be using Faceless for additional anonymity.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *