HQ/EMEAFind out how we can help your business
A new variant of the notorious TheMoon malware has allegedly caused the infection of approximately 6,000 ASUS routers within a mere 72-hour period of its recent campaign.
Based on reports, this malware has been an affiliate of the previously documented “Faceless” proxy service that has been infiltrating outdated small office and home office (SOHO) routers and various Internet of Things (IoT) devices across 88 countries.
Originally identified back a decade ago, TheMoon initially targeted LinkSys devices. However, the latest campaign has transitioned to ASUS routers, with nearly 7,000 devices being compromised every week.
Researchers disclosed the extent of the attack, revealing that the malware operation commenced earlier this month and rapidly infected over 6,000 ASUS routers.
Although the exact method used to breach the ASUS routers remains undisclosed, other researchers suspect that the attackers exploited known vulnerabilities in the firmware of these end-of-life devices. In addition, brute-force attacks on admin passwords or exploiting default and weak credentials might have facilitated infiltration.
The TheMoon malware quickly establishes its persistence in an infected router.
Once TheMoon malware secures access to a device, it executes a series of operations to fortify its presence and establish connections with C2 servers.
This strategy involves scanning for specific shell environments and dropping and executing a payload dubbed “.nttpd”. In addition, the malware operators implement the iptables rules to control incoming TCP traffic, effectively protecting the compromised device from external intrusion.
Furthermore, the malware attempts to contact legitimate NTP servers, discerning whether it operates within a sandbox environment and confirms its internet connectivity to ensure its functionality further. Subsequently, the malware establishes communication with the C2 server by cycling through a predefined set of IP addresses, awaiting instructions.
In some instances, the command-and-control server commands the malware to recover additional components, such as a worm module designed to scan for vulnerable web servers or “.sox” files that can proxy traffic on the infected device.
These intricate tactics show the sophistication of TheMoon malware and the significant threat it poses to network security worldwide. Therefore, users should be more vigilant and employ potent cybersecurity measures to mitigate the risks associated with such malicious activities.
