Thousands of Asus routers taken over by malware to form a new proxy service
Thousands of old, outdated Asus routers are being targeted by a new version of ‘TheMoon’ malware botnet, turning them into a network of devices used by a criminal residential proxy service.
Researchers at Black Lotus Labs claim that the campaign started in early March 2024 and compromised around 6,000 Asus routers within 72 hours.
These routers are older and have passed their end of life, leading researchers to speculate that the hackers most likely exploited a known vulnerability to deploy the malware.
Become faceless
Although Asus routers make up the majority of infected devices, they are not the only ones. Black Lotus says that approximately 7,000 new endpoints are added to the botnet every week. They are located all over the world, so no specific geography seems to be favored. Other methods to hack the devices include brute force attacks and credential stuffing.
Once the devices are infected, they become part of the Faceless proxy service, a well-known dark web tool that hackers use to hide their online activities. BleepingComputer explained. Groups using Faceless include IcedID and SolarMarker.
“Thanks to Lumen’s global network visibility, Black Lotus Labs identified the logic map of the Faceless proxy service, including a campaign that started in the first week of March 2024 and targeted more than 6,000 ASUS routers in less than 72 hours “explains Black Lotus.
Threat actors interested in Faceless’ services can only pay with cryptocurrencies and do not need to verify their identity. Furthermore, they keep their infrastructure secret by allowing each device to communicate with only one server as long as it is infected. A third of infections last more than 50 days, while about 15% are eliminated within two days.
The best way to protect yourself against these threats is to ensure that your routers are always up to date and that they have a strong password.