A new Mirai-based botnet, “Hail Cock Botnet,” has been exploiting vulnerable IoT devices, including DigiEver DVRs and TP-Link devices with CVE-2023-1389.
The botnet, active since September 2024, leverages a variant of Mirai malware with enhanced encryption.
A recent uptick in attacks targeting the URI /cgi-bin/cgi_main.cgi, exploiting an RCE vulnerability in DigiEver DS-2105 Pro devices, aligns with this campaign. While the vulnerability lacks a CVE, it was previously disclosed by Ta-Lun Yen of TXOne Research.
The researcher identified vulnerable DigiEver DVRs exposed online and by analyzing the firmware, they discovered the `/cgi-bin/cgi_main.cgi` endpoint.
Exploiting this endpoint, they successfully executed arbitrary code on the vulnerable devices, potentially enabling remote control or data theft.
It was discovered targeting devices with known vulnerabilities and exploiting command injection flaws in DigiEver routers (/cfg_system_time.htm ntp parameter), TP-Link routers (/cgi-bin/luci;stok=/locale endpoint), and Tenda HG6 routers (/boaform/admin/formTracert).
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
The botnet injects commands to download malicious scripts from remote servers, which then fetch and execute Mirai-based malware, where the attackers also target other vulnerabilities like CVE-2018-17532 using similar techniques.
The Mirai-based malware samples analyzed employed a sophisticated multi-layer encryption scheme, combining XOR and ChaCha20 algorithms, which, while not entirely novel, demonstrates a clear evolution in the tactics of botnet operators.
It’s ability to decrypt critical strings, such as botnet affiliation messages and default device credentials, highlights the increasing complexity of these threats and by leveraging advanced cryptographic methods, the malware aims to evade detection and hinder analysis efforts, thereby expanding its reach and impact.
Akamai analyzed malware samples in a sandbox environment and observed persistence mechanisms, where the malware creates a cron job to download a shell script named “wget.sh” from “hailcocks.ru” and executes it, which likely establishes communication with the botnet’s C2 server at “kingstonwikkerink.dyn.”
The malware also leaves a fingerprint in the console, with older versions announcing its affiliation to “hail cock botnet” and newer ones displaying a seemingly harmless message, “I just wanna look after my cats, man.”.
As evidenced by the recent operation of the Hail Cock botnet, cybercriminals create botnets by utilizing obsolete hardware and firmware, where devices like the 10-year-old DigiEver DS-2105 Pro, lacking manufacturer support for security patches, are prime targets.
To mitigate risks, users should upgrade vulnerable devices to newer, more secure models, especially when manufacturers cease providing updates.
