Cybersecurity researchers are warning of a surge in malicious activity involving vulnerable D-Link routers in two different botnets, Mirai variant named FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.
“These botnets are often propagated through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via the GetDeviceSettings action in the HNAP (Home Network Administration Protocol) interface,” Vincent Lee, researcher at Fortinet FortiGuard Labs. said in Thursday’s analysis.
“This HNAP flaw was first discovered nearly a decade ago when numerous devices were affected by various CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056and CVE-2024-33112.”
According to the cyber security company’s telemetry data, attacks involving FICORA have targeted various countries around the world, while attacks involving CAPSAICIN have primarily singled out East Asian territories such as Japan and Taiwan. CAPSAICIN activity is said to have been “intense” only between October 21 and 22, 2024.
FICORA botnet attacks deploy a bootloader shell script (“multi”) from a remote server (“103.149.87(.)69”), which then proceeds to download the main payload for different Linux architectures separately using wget, ftpget , curl and tftp command.
Inside the botnet malware is a brute-force attack feature that contains a hard-coded list of usernames and passwords. The Mirai derivative also contains features for conducting distributed denial of service (DDoS) attacks using UDP, TCP, and DNS protocols.
The bootloader script (“bins.sh”) for CAPSAICIN uses a different IP address (“87.10.220(.)221”) and follows the same approach to obtain the botnet for different Linux architectures to ensure maximum compatibility.
“The malware kills known botnet processes to ensure that it is the only botnet running on the victim host,” Lee said. “CAPSAICIN” establishes a connection socket to its C2 server “192.110.247(.)46” and sends information about the affected host’s OS and the nickname given by the malware back to the C2 server.
CAPSAICIN then waits to execute further commands on the compromised devices, including “PRIVMSG”, a command that can be used to perform various malicious operations such as:
- GETIP – Get the IP address from the interface
- CLEARHISTORY – Delete command history
- FASTFLUX – Run a proxy to a port on a different IP to the interface
- RNDNICK is the victim’s random host nick
- NICK – Change host victim’s nickname
- SERVER – Change command and control server
- ENABLE – Enable the bot
- KILL – Kill the session
- GET – download file
- VERSION – Queries the version of the victim host
- IRC – forward message to server
- SH – Execute shell commands
- ISH – Interact with the shell of the victim’s host
- SHD – Execute shell command and ignore signals
- INSTALL – Download and install the binary to “/var/bin”
- BASH – Execute commands using bash
- BINUPDATE – Update binary to “/var/bin” via get
- BLOCK – Close the Telnet backdoor and run the malware instead
- HELP – Displays help information about malware
- STD – Flood attack with random hardcoded strings for port number and target specified by attacker
- UNKNOWN – UDP flood attack with random characters for the port number and target specified by the attacker
- HTTP – HTTP flood attack.
- HOLD – A TCP connection attack.
- JUNK is a TCP flood attack.
- BLACK SISTER – BlackNurse attackwhich is based on an ICMP flooding packet attack
- DNS – DNS extension attack
- KILLALL – Stop all DDoS attacks
- KILLMYEYEPEEUSINGHOIC – Kill the original malware
“Even though the flaws used in this attack were discovered and fixed nearly a decade ago, these attacks remain constantly active around the world,” Lee said. “It is critical for every enterprise to regularly update the core of their devices and maintain comprehensive monitoring.”
