A new strain of TheMoon malware has emerged, infecting a significant number of outdated small home/small office (SOHO) routers and IoT devices worldwide. The Black Lotus Labs team at Lumen Technologies discovered this updated version targeting end-of-life devices, with the malware making its presence known by infecting thousands of devices in 88 countries. The Moon botnet, initially detected in 2014, has evolved over the years, with operators integrating at least 6 IoT device exploits into its code. Notorious for its targeting of routers from various vendors, the botnet has caused widespread concern due to its extensive reach and potential for malicious activities.
The infection chain initiated by TheMoon malware typically involves a lightweight loader file that checks for specific shells before executing the subsequent payload. The malware establishes rules to control incoming TCP traffic, connects to NTP servers for internet connection verification, and eventually communicates with hardcoded IP addresses to receive instructions from the command-and-control server. The discovery of this new variant underscores the ongoing battle against sophisticated malware strains and emphasizes the importance of cybersecurity measures to safeguard vulnerable devices from such threats.
