FBI Warns Of TheMoon Malware Exploiting EOL Routers

The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life” (EOL). These vulnerable routers, no longer supported by manufacturers with software or security updates, have become the latest focus of threat actors exploiting them with a new strain of TheMoon malware. 

According to the FBI, cybercriminals have set their sights on vulnerable routers that are no longer being updated or supported by manufacturers. Devices made in 2010 or earlier are especially at risk, as they likely haven’t received firmware or security updates for years.

The alert noted an increase in attacks using the malware, specifically targeting routers with remote administration features left enabled. 

“End of Life routers were breached by cyber actors using variants of TheMoon malware,” the FBI confirmed. “Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware.” 

What is TheMoon Malware? 

Originally detected in 2014, TheMoon malware is a sophisticated piece of code that infects routers without needing a password. It scans for open ports and targets vulnerable scripts. Once inside, it connects with a command and control (C2) server, which then issues further instructions, often directing the infected device to search for more routers to infect, thereby expanding the malware’s reach. 

The malware’s primary function is to establish proxy networks using infected devices. These networks are then used to mask criminal activity on the internet, making it difficult to trace the source of illegal operations. 

How Proxy Services Exploit Vulnerable Routers 

A proxy server acts as a gateway between users and the Internet. In the hands of cybercriminals, these proxies are used to hide the origin of illicit online actions. When a criminal accesses a website through an infected router, the site logs the IP address of the proxy, not the attacker, making investigation and enforcement much harder. 

This setup allows threat actors to engage in a range of illegal activities, from stealing cryptocurrencies to accessing prohibited services, while evading detection. 

FBI’s Recommendations for Protection

To counter these threats, the FBI offers several recommendations for individuals and organizations: 

• Replace outdated hardware: If your router is considered End of Life, upgrade to a newer, supported model. 
• Apply updates immediately: Install any available firmware or security patches from the manufacturer. 
• Disable remote administration: Log into your router settings, turn off remote management, save changes, and reboot the device. 
• Use strong, unique passwords: Create secure passwords between 16 and 64 characters, and avoid reusing them across platforms. 
• Monitor for suspicious activity: Signs of infection include overheating, poor connectivity, or unexpected configuration changes. 

Conclusion  

Suppose you suspect your device has been compromised or exploited by a proxy network. In that case, the FBI urges you to report the incident to the Internet Crime Complaint Center (IC3) with as much detail as possible, including the date, time, nature of the activity, affected users, and the device involved.

It’s critical to act quickly by contacting your service providers, changing all passwords, enabling two-factor authentication, and setting up alerts for suspicious login attempts or transactions. The FBI’s alert I-050725-PSA is a timely reminder that vulnerable routers, especially end-of-life routers, pose serious cybersecurity risks.  

Related