Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.
“These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the HNAP (Home Network Administration Protocol) interface,” Fortinet FortiGuard Labs researcher Vincent Li said in a Thursday analysis.
“This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.”
According to the cybersecurity company’s telemetry data, attacks involving FICORA have targeted various countries globally, whereas those related to CAPSAICIN primarily singled out East Asian territories like Japan and Taiwan. The CAPSAICIN activity is also said to have been “intensely” active only between October 21 and 22, 2024.
FICORA botnet attacks lead to the deployment of a downloader shell script (“multi”) from a remote server (“103.149.87[.]69”), which then proceeds to download the main payload for different Linux architectures separately using wget, ftpget, curl, and tftp commands.
Present within the botnet malware is a brute-force attack function containing a hard-coded list of usernames and passwords. The Mirai derivative also packs in features to conduct distributed denial-of-service (DDoS) attacks using UDP, TCP, and DNS protocols.
The downloader script (“bins.sh”) for CAPSAICIN leverages a different IP address (“87.10.220[.]221”), and follows the same approach to fetch the botnet for various Linux architectures to ensure maximum compatibility.
“The malware kills known botnet processes to ensure it is the only botnet executing on the victim host,” Li said. “‘CAPSAICIN’ establishes a connection socket with its C2 server, ‘192.110.247[.]46,’ and sends the victim host’s OS information and the nickname given by the malware back to the C2 server.”
CAPSAICIN then awaits for further commands to be executed on the compromised devices, including “PRIVMSG,” a command that could be used to perform various malicious operations such as follows –
- GETIP – Get the IP address from an interface
- CLEARHISTORY – Remove command history
- FASTFLUX – Start a proxy to a port on another IP to an interface
- RNDNICK – Randomize the victim hosts’ nickname
- NICK – Change the nickname of the victim host
- SERVER – Change command-and-control server
- ENABLE – Enable the bot
- KILL – Kill the session
- GET – Download a file
- VERSION – Requests version of the victim host
- IRC – Forward a message to the server
- SH – Execute shell commands
- ISH – Interact with victim host’s shell
- SHD – Execute shell command and ignore signals
- INSTALL – Download and install a binary to “/var/bin”
- BASH – Execute commands using bash
- BINUPDATE – Update a binary to “/var/bin” via get
- LOCKUP – Kill Telnet backdoor and execute the malware instead
- HELP – Display help information about the malware
- STD – Flooding attack with random hard-coded strings for the port number and target specified by the attacker
- UNKNOWN – UDP flooding attack with random characters for the port number and target specified by the attacker
- HTTP – HTTP flooding attack.
- HOLD – TCP connection flooding attack.
- JUNK – TCP flooding attack.
- BLACKNURSE – BlackNurse attack, which is based on the ICMP packet flooding attack
- DNS – DNS amplification flooding attack
- KILLALL – Stop all DDoS attacks
- KILLMYEYEPEEUSINGHOIC – Terminate the original malware
“Although the weaknesses exploited in this attack had been exposed and patched nearly a decade ago, these attacks have remained continuously active worldwide,” Li said. “It is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring.”
