TheMoon Botnet Resurrected

Apr 02 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Sponsored by

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that goes to war with cybercriminals like JK Rowling with Scotland #ArrestMe πŸ‘€πŸ§™πŸ˜‚

Today’s hottest cybersecurity news stories:

  • πŸŒ™ TheMoon botnet returns, exploits EoL devices to fuel criminal proxy 🦹

  • πŸšͺ Backdoor discovered in XZ utils Library, affects major Linux distributors 🌐

  • πŸ’» MacOS users beware! Atomic stealer along with Realst are on the prowl πŸ…

Hackers: Fly me to TheMoon πŸŽΆπŸŒ™πŸ’€

🚨 TheMoon Botnet Resurrected as Faceless Proxy Service's Backbone! πŸ”’

In a shocking turn of events, the notorious botnet, TheMoon, once thought neutralised, has reemerged with a vengeance. Black Lotus Labs at Lumen Technologies has uncovered its sinister plot to enslave end-of-life (EoL) small home/small office (SOHO) routers and IoT devices for the nefarious Faceless proxy service.

πŸ‘€ Introducing Faceless: A Criminal Haven

Faceless, first unveiled by security guru Brian Krebs in April 2023, is a dark web haven offering anonymity services to cybercriminals at a bargain. For less than a dollar per day, malevolent actors can conceal their malicious activities by routing them through compromised systems listed on Faceless.

βš”οΈΒ Unveiling the Cyber Arsenal

Under the Faceless umbrella, malware like SolarMarker and IcedID find refuge, utilising the proxy service to connect to their command-and-control servers while masking their true IP addresses.

πŸ’Ό Prime Targets: Financial Sector Under Siege

The onslaught primarily targets the financial sector, with over 80% of infected hosts nestled in the U.S., engaging in password spraying and data exfiltration with ruthless efficiency.

πŸŒ™ TheMoon's Modus Operandi

TheMoon's resurgence involves infiltrating vulnerable devices with updated versions of itself, exploiting their end-of-life status and susceptibility to security breaches. Utilising loaders and ELF executables, it orchestrates a sophisticated network of compromised systems.

As Faceless emerges as a formidable force in the cyber underworld, fueled by TheMoon's sinister machinations, the battle against cybercrime intensifies. With over 40,000 bots from 88 countries under its sway, Faceless poses a grave threat to global cybersecurity.

Stay vigilant, stay secure. The battle against cyber threats continues.

Join the webinar on April 10: Combating threats through a continuous compliance with Vanta, CrowdStrike, and AWS

As the movement towards cloud-first continues, how can teams ensure their cloud security and compliance programs are optimized? On April 10, join leaders from Vanta, CrowdStrike, and AWS as they discuss ways to leverage continuous compliance and security to proactively monitor cloud infrastructure.

Backdoor bandits, the bunch of them! πŸ†πŸ‘πŸ’€

🚨 URGENT: Backdoor Alert in XZ Utils Threatens Linux Systems! πŸ’»

Red Hat has issued a critical security alert, revealing a malicious backdoor in two versions of the widely-used XZ Utils library, posing a grave risk to Linux systems worldwide.

πŸ” The Breach: CVE-2024-3094 Unveiled

The compromise, tagged as CVE-2024-3094, carries a severe CVSS score of 10.0, indicating its maximum severity. XZ Utils versions 5.6.0 and 5.6.1, released in February and March 2024 respectively, harbour the malicious code.

πŸ›‘ Intricate Subversion Tactics Uncovered

According to IBM, the build process of liblzma clandestinely embeds a prebuilt object file from a disguised test file within the source code. This devious manoeuvre modifies specific functions in liblzma, allowing unauthorised access to systems linked with this library.

πŸ”’ Target: SSHD Daemon Under Siege

The malicious code aims to subvert the sshd daemon process, compromising SSH authentication through the systemd suite. This breach potentially grants unauthorised remote access to systems, undermining their security.

πŸ•΅οΈ Discoverer and Culprit Unmasked

Microsoft engineer Andres Freund, credited with uncovering the issue, traced the infiltration to four surreptitious commits by user Jia Tan (JiaT75) on GitHub's Tukaani Project. The highly obfuscated code suggests a calculated attack rather than a mere oversight.

πŸ›‘οΈ Defense Measures and Impact Assessment

To mitigate the risk, Fedora Linux 40 users are advised to revert to a stable 5.4 build. Various Linux distributions, including Arch Linux, Kali Linux, and openSUSE, have been affected, prompting swift action to prevent exploitation.

πŸ”” National Alert Issued by CISA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm, urging users to downgrade XZ Utils to an uncompromised version to safeguard against potential breaches.

Stay vigilant, Linux users! Collaborative efforts are underway to secure our systems against this insidious threat.

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can't get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)

🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)

🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

And you thought an Atomic wedgie was bad… βš›οΈπŸ©²πŸ’€

🚨 MacOS Under Siege: Stealthy Stealer Malware Targeting Apple Users! 🍎

A new wave of infostealer attacks is targeting macOS users, utilising deceptive ads and counterfeit websites to distribute malicious payloads, raising alarms among cybersecurity experts.

πŸ” The Threat Unveiled

Jamf Threat Labs uncovered a sophisticated attack chain where users searching for Arc Browser encounter bogus ads leading to look-alike sites, ultimately delivering the notorious Atomic Stealer malware. Similarly, fake sites like meethub[.]gg lure victims with promises of free software, only to infect them with another stealer malware variant.

πŸ›‘οΈ Modus Operandi of the Malware

Once downloaded, the malware prompts victims to enter their system passwords, enabling it to steal sensitive data stored in keychains, web browsers, and cryptocurrency wallets. This tactic, coupled with social engineering techniques, makes the attacks highly effective.

πŸ”’ MacPaw's Moonlock Lab Reveals Deceptive Tactics

Moonlock Lab exposed threat actors' use of malicious DMG files to deploy stealer malware, bypassing macOS's security features with obfuscated scripts and phishing tactics. The malware, disguised as harmless software, preys on unsuspecting users, emphasising the need for heightened vigilance.

πŸ•΅οΈ Evolving Threat Landscape

The emergence of FakeBat loader and Rhadamanthys underscores the evolving threat landscape, with malvertising campaigns exploiting popular software to propagate malware. Threat actors are employing sophisticated techniques, including anti-virtualization measures, to evade detection.

πŸ›‘οΈ Protecting Your MacOS Environment

As macOS environments become prime targets for cybercriminals, users must exercise caution when downloading software and interacting with online content. Regular security updates, cautious browsing habits, and robust antivirus solutions are essential defences against these insidious threats.

Stay informed, stay vigilant. Together, we can thwart the advances of cyber adversaries and safeguard our digital ecosystem.

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles