TheMoon Malware Strikes Back: 7,000 ASUS Routers Infected

Black Lotus Labs has identified a new variant of the TheMoon malware, targeting SOHO offices and IoT devices across 88 countries, which has already infected nearly 7,000 ASUS routers.

TheMoon is associated with the anonymous proxy service Faceless, which leverages infected devices to route traffic for cyber criminals wishing to conceal their activities. Malicious campaigns such as IcedID and SolarMarker are already utilizing this network to disguise their online presence.

In the campaign that was uncovered, nearly 7,000 devices were compromised within a week, with ASUS routers being the primary target. The attackers likely exploited known vulnerabilities in the firmware or used brute-force methods to gain access to the devices.

Once inside the device, the malware establishes specific rules for traffic filtering and attempts to communicate with a Command and Control (C2) server for further instructions. In some instances, the server may download additional components for scanning vulnerable servers or for traffic proxying.

Faceless operates as a proxy service for cybercriminals, functioning without a client verification process and accepting payments exclusively in cryptocurrency. To protect their infrastructure, Faceless operators restrict communication of infected devices to a single server throughout the infection period.

Research by Black Lotus Labs indicates that about 30% of infections last more than 50 days, while 15% are detected and remedied in less than 48 hours.

Despite the apparent connection between TheMoon and Faceless, the two operations represent separate cybercrime ecosystems, as not all infections by the malware become part of the Faceless botnet.

To guard against such threats, it is recommended to use complex passwords and update the device firmware to the latest version, addressing known vulnerabilities. If a device is outdated and no longer supported by the manufacturer, it should be replaced with a new model that receives active support. Typically, signs of device infection include connectivity issues, overheating, and suspicious changes in settings.