DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

Share:

A new Mirai-based botnet, “Hail Cock Botnet,” has been exploiting vulnerable IoT devices, including DigiEver DVRs and TP-Link devices with CVE-2023-1389.

The botnet, active since September 2024, leverages a variant of Mirai malware with enhanced encryption.

A recent uptick in attacks targeting the URI /cgi-bin/cgi_main.cgi, exploiting an RCE vulnerability in DigiEver DS-2105 Pro devices, aligns with this campaign. While the vulnerability lacks a CVE, it was previously disclosed by Ta-Lun Yen of TXOne Research.

The researcher identified vulnerable DigiEver DVRs exposed online and by analyzing the firmware, they discovered the `/cgi-bin/cgi_main.cgi` endpoint.

Exploiting this endpoint, they successfully executed arbitrary code on the vulnerable devices, potentially enabling remote control or data theft.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
Endpoint with suspected vulnerability

It was discovered targeting devices with known vulnerabilities and exploiting command injection flaws in DigiEver routers (/cfg_system_time.htm ntp parameter), TP-Link routers (/cgi-bin/luci;stok=/locale endpoint), and Tenda HG6 routers (/boaform/admin/formTracert).

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The botnet injects commands to download malicious scripts from remote servers, which then fetch and execute Mirai-based malware, where the attackers also target other vulnerabilities like CVE-2018-17532 using similar techniques.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />Contents of the “b.sh” shell script
Contents of the “b.sh” shell script

The Mirai-based malware samples analyzed employed a sophisticated multi-layer encryption scheme, combining XOR and ChaCha20 algorithms, which, while not entirely novel, demonstrates a clear evolution in the tactics of botnet operators.

It’s ability to decrypt critical strings, such as botnet affiliation messages and default device credentials, highlights the increasing complexity of these threats and by leveraging advanced cryptographic methods, the malware aims to evade detection and hinder analysis efforts, thereby expanding its reach and impact.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
Decrypting with Salsa20 and ChaCha20

Akamai analyzed malware samples in a sandbox environment and observed persistence mechanisms, where the malware creates a cron job to download a shell script named “wget.sh” from “hailcocks.ru” and executes it, which likely establishes communication with the botnet’s C2 server at “kingstonwikkerink.dyn.”

The malware also leaves a fingerprint in the console, with older versions announcing its affiliation to “hail cock botnet” and newer ones displaying a seemingly harmless message, “I just wanna look after my cats, man.”.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />Newer malware console output message

As evidenced by the recent operation of the Hail Cock botnet, cybercriminals create botnets by utilizing obsolete hardware and firmware, where devices like the 10-year-old DigiEver DS-2105 Pro, lacking manufacturer support for security patches, are prime targets.

To mitigate risks, users should upgrade vulnerable devices to newer, more secure models, especially when manufacturers cease providing updates.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:18 am, Apr 2, 2025
weather icon 14°C
L: 13° | H: 14°
clear sky
Humidity: 55 %
Pressure: 1022 mb
Wind: 14 mph ESE
Wind Gust: 23 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 0%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 6:33 am
Sunset: 7:34 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
13° | 14°°C 0 mm 0% 16 mph 68 % 1022 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
9° | 16°°C 0 mm 0% 11 mph 85 % 1022 mb 0 mm/h
Fri Apr 04 10:00 pm
weather icon
10° | 18°°C 0 mm 0% 14 mph 82 % 1022 mb 0 mm/h
Sat Apr 05 10:00 pm
weather icon
6° | 17°°C 0 mm 0% 12 mph 79 % 1022 mb 0 mm/h
Sun Apr 06 10:00 pm
weather icon
7° | 14°°C 0 mm 0% 12 mph 76 % 1025 mb 0 mm/h
Today 1:00 pm
weather icon
14° | 14°°C 0 mm 0% 15 mph 54 % 1022 mb 0 mm/h
Today 4:00 pm
weather icon
15° | 15°°C 0 mm 0% 16 mph 54 % 1021 mb 0 mm/h
Today 7:00 pm
weather icon
13° | 13°°C 0 mm 0% 12 mph 61 % 1020 mb 0 mm/h
Today 10:00 pm
weather icon
10° | 10°°C 0 mm 0% 11 mph 68 % 1021 mb 0 mm/h
Tomorrow 1:00 am
weather icon
10° | 10°°C 0 mm 0% 10 mph 75 % 1021 mb 0 mm/h
Tomorrow 4:00 am
weather icon
9° | 9°°C 0 mm 0% 9 mph 80 % 1020 mb 0 mm/h
Tomorrow 7:00 am
weather icon
9° | 9°°C 0 mm 0% 9 mph 85 % 1020 mb 0 mm/h
Tomorrow 10:00 am
weather icon
12° | 12°°C 0 mm 0% 11 mph 63 % 1020 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€78,894.09
0.84%
Ethereum(ETH)
€1,743.81
-0.08%
Tether(USDT)
€0.93
0.00%
XRP(XRP)
€1.96
-2.74%
Solana(SOL)
€116.77
-2.26%
USDC(USDC)
€0.93
0.00%
Dogecoin(DOGE)
€0.159714
-0.42%
Shiba Inu(SHIB)
€0.000011
-3.87%
Pepe(PEPE)
€0.000006
-3.07%
Scroll to Top