Keypoints
- TheMoon resurfaced as an active botnet that enrolls EoL SOHO routers and IoT devices into the Faceless proxy network, reaching 40,000+ bots across 88 countries in Jan–Feb 2024.
- The infection begins with a lightweight loader that checks for /bin/bash, /bin/ash, or /bin/sh, then decrypts and launches the .nttpd payload which manages a .nttpd.pid and versioning.
- TheMoon sets iptables rules on infected devices (drops TCP 8080/80; allows specific subnets such as 91.215.158.0/24, 195.3.144.0/24, 185.246.128.0/24) and uses NTP checks to confirm connectivity/sandbox avoidance.
- Post-checkin, devices connect to hard-coded IPs (port 15194 and send on 16194) to receive additional ELF modules: a worm (.scn via .scz) that scans and writes .nttpd to vulnerable web servers, and a .sox proxy module that enables Faceless functionality.
- The .sox module awaits a .sox.twn update, reads four bytes to set a Faceless C2 (e.g., 195.3.147.73), then repeatedly contacts the C2 on ports 4210–4217 and egress ports 501x to forward user traffic.
- Telemetry shows a strong overlap (≈80–90%) between TheMoon and Faceless C2 communications; Faceless has been used by other botnet operators (e.g., SolarMarker, IcedID), prompting Lumen to block related infrastructure and share IoCs.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The worm module scans IP blocks and targets web servers on ports 80 and 8080 to write and execute .nttpd (‘the .scn executable will attempt to spread itself by scanning an IP block supplied by the C2, in search of vulnerable web servers on ports 80 and 8080’).
- [T1090] Proxy – Compromised devices forward user requests and act as exit points for Faceless, hiding attacker origin (‘The C2 on port 5015 then forwards requests to the infected host on behalf of the Faceless user.’).
- [T1105] Ingress Tool Transfer – Additional ELF modules and scripts are downloaded to extend functionality (.sox, .scn, etc.) after initial check-in (‘The infected device then requests and downloads the corresponding ELF executable.’).
- [T1027] Obfuscated Files or Information – Loader and modules use decryption/obfuscation for payload delivery and configuration (.nttpd, .sox.twn updates) (‘it will decrypt, drop, and execute the next stage payload “.nttpd.”’).
- [T1219] Remote Access Software – Faceless enables remote, anonymized access through compromised residential devices, acting like remote access/egress points (‘The Faceless proxy service offers their users the ability to mimic a connection, as if they were a legitimate ISP end-user’).
- [T1078.003] Valid Accounts: Local Accounts – The campaign targets EoL SOHO devices that often retain default or weak credentials, facilitating compromise (‘targeting SOHO routers and IoT devices that may rely on common default passwords’).
- [T1110.001] Brute Force: Password Guessing – Faceless-provided proxies are suspected to be used for password spraying and credential abuse against targets (‘we suspect the bulk of the criminal activity is likely password spraying’).
Indicators of Compromise
- [IP Address] C2 and infrastructure examples – 195.3.147.73 (Faceless C2), 45.143.201.87 (scanning/FTP host), and other addresses such as 195.3.144.0/24, 91.215.158.0/24.
- [Files / Filenames] Malware payloads and scripts – .nttpd (primary payload), .sox (proxy module), .sox.twn (C2 update), .scz / .scn (worm delivery), .soxT / .soxP (update & cleanup scripts).
- [Ports/Port Ranges] C2 and proxy communication – check-in/connectivity on ports 15194/16194, Faceless communication on 4210–4217 and 501x (e.g., 5015), and common web ports 80/8080 used for exploitation.
- [Services/Hosts] Scanning and auxiliary infrastructure – 45.143.201.87:32123 (FTP observed communicating with ~3,500 devices) and devices running Acunetix on ports 3443/7880 used by the campaign.
- [Device Types] Targeted endpoints – End-of-life SOHO routers and IoT devices (example: ASUS routers and D-Link DCS-930L cameras used in infection clusters).
TheMoon’s technical infection chain begins with a tiny loader that verifies the presence of /bin/bash, /bin/ash, or /bin/sh; if successful it decrypts and writes the .nttpd payload and manages a .nttpd.pid file and version checks. The binary enforces iptables rules (dropping TCP 8080 and 80 while permitting select subnets), performs NTP checks to confirm network connectivity/sandboxing avoidance, then iterates through hard-coded IPs to connect on port 15194 and send a probe packet on port 16194. On valid check-in, the C2 directs the device to download additional ELF modules (via T1105), including a worm (.scn delivered from .scz) and a proxy module (.sox).
The worm module attempts lateral spread by scanning C2-supplied IP blocks for vulnerable web servers on ports 80 and 8080; when it finds an exploitable host it writes and executes .nttpd using echo-based file drops. The .sox proxy module validates versioning, can modify iptables to open ports for module retrieval, and persistently attempts to contact embedded IPs on ports 4210–4217 until it receives a .sox.twn update file. That .sox.twn file contains four bytes read at a fixed offset that replace the hard-coded IP to point to a Faceless C2 (example: 195.3.147.73); the .sox then polls the new C2 every ~5 seconds on 4210–4217 and, upon response, connects on a 501x port to accept proxying instructions.
The Faceless logical flow routes end-user traffic through intermediary/Faceless C2 nodes which forward requests to infected bots acting as exit points, preserving user anonymity. Telemetry shows strong cohabitation between TheMoon and Faceless (≈80–90% overlap), and operators use siloed infrastructure for scanning, enrollment, and proxying. Key defensive actions are blocking known C2s/IPs, monitoring the listed ports and filenames (.nttpd, .sox, .sox.twn, .scn/.scz), and alerting on unusual connections from residential ASNs or EoL SOHO device types.