DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

Share:

A new Mirai-based botnet, “Hail Cock Botnet,” has been exploiting vulnerable IoT devices, including DigiEver DVRs and TP-Link devices with CVE-2023-1389.

The botnet, active since September 2024, leverages a variant of Mirai malware with enhanced encryption.

A recent uptick in attacks targeting the URI /cgi-bin/cgi_main.cgi, exploiting an RCE vulnerability in DigiEver DS-2105 Pro devices, aligns with this campaign. While the vulnerability lacks a CVE, it was previously disclosed by Ta-Lun Yen of TXOne Research.

The researcher identified vulnerable DigiEver DVRs exposed online and by analyzing the firmware, they discovered the `/cgi-bin/cgi_main.cgi` endpoint.

Exploiting this endpoint, they successfully executed arbitrary code on the vulnerable devices, potentially enabling remote control or data theft.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
Endpoint with suspected vulnerability

It was discovered targeting devices with known vulnerabilities and exploiting command injection flaws in DigiEver routers (/cfg_system_time.htm ntp parameter), TP-Link routers (/cgi-bin/luci;stok=/locale endpoint), and Tenda HG6 routers (/boaform/admin/formTracert).

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The botnet injects commands to download malicious scripts from remote servers, which then fetch and execute Mirai-based malware, where the attackers also target other vulnerabilities like CVE-2018-17532 using similar techniques.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />Contents of the “b.sh” shell script
Contents of the “b.sh” shell script

The Mirai-based malware samples analyzed employed a sophisticated multi-layer encryption scheme, combining XOR and ChaCha20 algorithms, which, while not entirely novel, demonstrates a clear evolution in the tactics of botnet operators.

It’s ability to decrypt critical strings, such as botnet affiliation messages and default device credentials, highlights the increasing complexity of these threats and by leveraging advanced cryptographic methods, the malware aims to evade detection and hinder analysis efforts, thereby expanding its reach and impact.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
Decrypting with Salsa20 and ChaCha20

Akamai analyzed malware samples in a sandbox environment and observed persistence mechanisms, where the malware creates a cron job to download a shell script named “wget.sh” from “hailcocks.ru” and executes it, which likely establishes communication with the botnet’s C2 server at “kingstonwikkerink.dyn.”

The malware also leaves a fingerprint in the console, with older versions announcing its affiliation to “hail cock botnet” and newer ones displaying a seemingly harmless message, “I just wanna look after my cats, man.”.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />Newer malware console output message

As evidenced by the recent operation of the Hail Cock botnet, cybercriminals create botnets by utilizing obsolete hardware and firmware, where devices like the 10-year-old DigiEver DS-2105 Pro, lacking manufacturer support for security patches, are prime targets.

To mitigate risks, users should upgrade vulnerable devices to newer, more secure models, especially when manufacturers cease providing updates.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
8:46 am, Feb 11, 2025
weather icon 3°C
L: 3° | H: 4°
overcast clouds
Humidity: 93 %
Pressure: 1018 mb
Wind: 5 mph NW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 6 km
Sunrise: 7:21 am
Sunset: 5:07 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 4°°C 0.2 mm 20% 4 mph 95 % 1018 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
2° | 7°°C 0 mm 0% 5 mph 96 % 1021 mb 0 mm/h
Thu Feb 13 9:00 pm
weather icon
3° | 7°°C 0 mm 0% 9 mph 77 % 1025 mb 0 mm/h
Fri Feb 14 9:00 pm
weather icon
2° | 6°°C 0 mm 0% 8 mph 78 % 1026 mb 0 mm/h
Sat Feb 15 9:00 pm
weather icon
1° | 5°°C 0 mm 0% 9 mph 75 % 1026 mb 0 mm/h
Today 9:00 am
weather icon
3° | 3°°C 0.2 mm 20% 4 mph 93 % 1018 mb 0 mm/h
Today 12:00 pm
weather icon
3° | 3°°C 0 mm 0% 4 mph 95 % 1018 mb 0 mm/h
Today 3:00 pm
weather icon
4° | 4°°C 0 mm 0% 4 mph 88 % 1017 mb 0 mm/h
Today 6:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 86 % 1018 mb 0 mm/h
Today 9:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 84 % 1018 mb 0 mm/h
Tomorrow 12:00 am
weather icon
4° | 4°°C 0 mm 0% 2 mph 88 % 1019 mb 0 mm/h
Tomorrow 3:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 92 % 1018 mb 0 mm/h
Tomorrow 6:00 am
weather icon
2° | 2°°C 0 mm 0% 3 mph 96 % 1018 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€95,362.80
0.48%
Ethereum(ETH)
€2,636.02
2.70%
XRP(XRP)
€2.44
3.25%
Tether(USDT)
€0.97
-0.01%
Solana(SOL)
€199.42
0.57%
USDC(USDC)
€0.97
0.00%
Dogecoin(DOGE)
€0.258930
5.69%
Shiba Inu(SHIB)
€0.000016
2.52%
Pepe(PEPE)
€0.000010
9.25%
Scroll to Top