2024-08-06 –, Florentine A
“Buy one get one free” usually means something that’s ready to expire or a seller wants to get rid of unpopular stock. But every now and then, it means you caught two botnets for the price of one. In this case, we found one botnet that was back from the dead and busy feeding into a second, a proxy network that had grown into a “one stop shop” for all kind of criminal activity. In this talk, we show our discovery of "TheMoon" botnet and how it led us to identify "Faceless," a network with over 7,000 new users every week. This talk is for both ordinary netizens and defenders of all stripes; seasoned with some skill and intuitive detective work, plus some interesting hurdles for reverse engineers. We’ll use detailed images and breakdowns to walk listeners through the basics of botnets, proxies, and why your router is the problem. And then we’ll show you what happens when the dead don’t die!
Small Office/Home Office routers and IoT devices like wireless cameras are becoming prime real estate for bot farmers. And a bigger problem exists when those devices reach the end of their supported life from the manufacturer. At some point, while the product still performs to meet the user’s need, it just can’t be protected. And as we will show in this talk, EoL devices are tracked and on the hit list for savvy attackers. Beginning in the fall of 2023, Black Lotus Labs began tracking the resurgence of a SOHO-based botnet known as TheMoon, whose malware has been around since 2014. Proceeding into 2024, the network grew in size to over 40,000 bots, communicating with tens of thousands of distinct IP addresses per week. Their choice of victim device make/models are essentially anything at the end-of-lifecycle that they can reach, with bots found in over 88 countries - the vast majority in the U.S. We will use images and graphics to describe the infection process, the passing of bots between the networks, and the activities of Faceless and their users. Finally, we’ll talk about our interdiction and the aftermath.
Intro – 5 Minutes
– Who we are
– Lumen overview
– How we got here
Orientation – 5 Minutes
– Botnet overview
– Proxy botnets and criminal services overview
– Finding botnet-like activity
– Reverse malware
- Null-route/interdiction
TheMoon – 10 Minutes
– TheMoon overview
– Tracking TheMoon
– TheMoon binary analysis
Faceless - 10 Minutes
– Link to criminal proxy service known as Faceless
– Overlap on how TheMoon is the primary provider of bots for Faceless
– Faceless binary analysis
Faceless service - 5 minutes
– Geographical distributions of Faceless proxy service users
Disrupting TheMoon – 5 Minutes
– How Lumen disrupts botnets
– What worked
– What didn’t work
– How we can improve next time
Review/Close/Thank You – 5 Minutes
– Conclusions
– Where people can find more information
– Thanks/Kudos to previous researchers
– Questions?
Steve "crudd" Rudd is a Senior Lead Information Security Engineer at Lumen Technologies responsible for reverse engineering malware samples across a wide variety of architectures and operating systems from a broad range of threats, including cybercriminals, ransomware operators and APTs. In addition to reversing network protocols and gleaning IoCs from custom loaders and implants to aid in investigations, Steve develops the automated threat validation capabilities of Black Lotus Labs through bot emulation and C2 validation to track and disrupt threats at scale. A self-taught practitioner, Steve is passionate about understanding how things work and digging into low-level assembly, operating system internals and network protocols. He is rumored to have been used by EA sports as the character for their 1987 skateboarding game for the Commodore 64. Uncredited, of course.
Chris Formosa is a Lead Information Security Engineer at Black Lotus Labs, the threat research team at Lumen Technologies. Chris discovers and tracks malicious botnet activity, mapping the infrastructure crimeware families use to operate. His work prior to Lumen Technologies involved uncovering and stopping fraud rings in the financial space. He has a background in data science and a master’s in computer science from Georgia Tech. When Chris isn’t by his computer, he is searching for his first beach volleyball tournament win.