According to the new results of the Cto Ctrl team, which were inflicted on non-professional TP-Link Larher routers, the new Botnet company, dubbed Ballista.
“BotNet uses the Vulnerability of the Remote Code (RCE) in the TP-Link Archer routers (CVE-2013-1389) to automatically distribute on the Internet,” said the security researchers and Mattlman in technical technical technical report Share with Hacker News.
Cve-2013-1389 This is a high-speed security disadvantage affecting the TP-Link Archer Ax-21 routers that can lead to team introduction, which can then pave the way for remote code.
A the earliest evidence Active exploitation of the shortage is dated April 2023, and unidentified threat subjects use it to refuse malicious Mirai software. Since then, it has also been abused by the distribution of other malware programs as Convoy and Androxgh0st.
Cato Ctrl said she had discovered a ballroom company on January 10, 2025. The latest exploitation attempt was recorded on February 17.
The attack sequence entails the use of malicious programs, the shell script (“Dropb.sh”) designed to obtain and perform the main binary system for various system architectures such as MIPS, MIPSEL, ARMV5L, ARMV7L and X86_64.
After performing the malicious software sets the encrypted team and control (C2) at Port 82 to take control of the device.
“This allows you to execute Shell teams further and refusing service (DOS),” the researchers said. “In addition, malicious software is trying to read sensitive files in the local system.”
Some of the supported commands are below –
- A flood that causes a flood attack
- Operating which exploits CVE-2013-1389
- Start an optional parameter used with an explicit to run the module
- Close which stops the module run function
- Shell that manages the Linux Shell team on the local system.
- Killal used to stop the service
In addition, he is able to stop the previous cases of himself and erase his own presence as soon as the performance begins. It is also intended to distribute other routers trying to use the disadvantage.
Using the location of the IP -Drace C2 (2.237.57 (.) 70) and the presence of Italian linguistic lines in binary files malicious programs involve the involvement of an unknown Italian actor, the cybersecurity campaign said.
Given this, it seems that malicious software seems to be actively developing, given that the IP address is no longer functional, and there is a new variant of the dropper that uses the TOR network domains rather than on a solid IP address.
Search on the surface control platform shows what shows that More than 6000 devices infected with boly. Infections are concentrated around Brazil, Poland, the United Kingdom, Bulgaria and Turkey.
Botnet has been found to focus on production, medical/medical, services and technological organizations in the US, Australia, China and Mexico.
“While this sample of malware shares the similarity to other botnets, it remains different from the widely used botnets such as Mirai and Mozi,” the researchers said.
