Multi-year campaign by TheMoon malware, discovered by Black Lotus targeting defenseless routers and turning them into bots for the faceless proxy service. TheMoon bots grew to over 40,000 in early 2024 and enabled Faceless to obtain nearly 7,000 new users weekly.

It recognized a botnet targeting end-of-life SOHO/IoT devices in late 2023, which is the alternative of the previously dormant TheMoon botnet, that infects devices and enrolls them in the Faceless residential proxy service.  

Logical overview of Faceless Network

Faceless is a inheritor to the iSocks anonymity service and is admired amongst cyberpunks for anonymizing their activities, considering there strong interrelation between TheMoon bots and Faceless puts forward TheMoon is the main distributor of bots for the Faceless proxy services. It portrayed the Faceless network and perceived an operation targeting 6,000 ASUS routers within 3 days, while Lumen Technologies blocked the traffic to/from Faceless and TheMoon bots. 

The embryonic loader exploiting shell availability contaminates the devices and then establishes determination, sets uncompromising rules for specific IP addresses and uses a spoofed NTP request to verify internet connectivity.

Check-in packet from debugger on the left and packet capture on the right

The Worm Module spreads by utilizing unprotected web services and downloading supplementary modules and the .sox file. Upon implementation, updates get checked and establish a connection with the Faceless  C2 server.     

The .sox.twn file 

When no updates are found, then a hardcoded IP address is used to connect and receive the updated file, .sox extracts the C2 server address. It forwards the additional scripts to update C2 information and initiates communication on a random port. 

The inspection revealed a powerful connection between TheMoon bots and Faceless proxy service where the observation says that significance imbricates between bots communicating with both C2 servers. 

Chart showing the delta between when an infected device communicates with a Moon and Faceless Server

Recently, TheMoon bots gets in touch with a Faceless C2 server within 3 days, both services used the same communication port scheme and establishes a Faceless C2 server directly contacting a TheMoon C2 server, strongly propounded TheMoon as a principal botnet feeding Faceless.

Graphic showing the Moon Elf file hosting on a Faceless C2

Global Telemetry Analysis- Faceless 

The Moon malware communicates with its C2 services and infects the devices, as a section of these devices are registered in the Faceless proxy network, where they get instructed by Faceless C2s and before achieving the target, route traffic through an intermediate server.

Longevity of Faceless bots

The network is specifically useful for bypassing geolocation and IP based blocking, as investigation shows that while 30,000 bots communicate with TheMoon C2 weekly, only 23,000 connect to Faceless C2s, encouraging some devices to interact with theMoon except Faceless.

It has been suspected that the residue bots might be used for expertise filling or commercial data exfiltration.