Thousands of Asus routers taken over by malware to form new proxy service

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Thousands of old, outdated Asus routers are being targeted by a new version of “TheMoon” malware botnet, turning them into a network of devices used by a criminal residential proxy service.

Researchers from Black Lotus Labs claim the campaign started in early March 2024 and within 72 hours, compromised roughly 6,000 Asus routers. 

These routers are older and past their end-of-life date, prompting the researchers to speculate that the hackers were most likely abusing a known vulnerability to deploy the malware.

Becoming Faceless

While Asus routers do make up the majority of the infected devices, they’re not the only ones. Black Lotus says that roughly 7,000 new endpoints are being added to the botnet every week. They are located all over the world, so no specific geography seems to be preferred. Other methods of breaching the devices include brute-force attacks and credential stuffing.

Once the devices are infected, they become part of the Faceless proxy service, a known dark web tool that hackers use to hide their online activities, BleepingComputer explained. Among the groups using Faceless are IcedID and SolarMarker. 

"Through Lumen's global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours," Black Lotus explained. 

Threat actors interested in Faceless’ services can only pay with cryptocurrencies, and do not require to verify their identities. What’s more, they keep their infrastructure a secret by having each device communicate with just one server, for as long as it’s infected. A third of infections last more than 50 days, while roughly 15% get eliminated within two days. 

The best way to defend against these threats is to make sure your routers are always updated and that they have a strong password.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.