FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

Share:

Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.

“These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the HNAP (Home Network Administration Protocol) interface,” Fortinet FortiGuard Labs researcher Vincent Li said in a Thursday analysis.

“This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.”

According to the cybersecurity company’s telemetry data, attacks involving FICORA have targeted various countries globally, whereas those related to CAPSAICIN primarily singled out East Asian territories like Japan and Taiwan. The CAPSAICIN activity is also said to have been “intensely” active only between October 21 and 22, 2024.

FICORA botnet attacks lead to the deployment of a downloader shell script (“multi”) from a remote server (“103.149.87[.]69”), which then proceeds to download the main payload for different Linux architectures separately using wget, ftpget, curl, and tftp commands.

Present within the botnet malware is a brute-force attack function containing a hard-coded list of usernames and passwords. The Mirai derivative also packs in features to conduct distributed denial-of-service (DDoS) attacks using UDP, TCP, and DNS protocols.

The downloader script (“bins.sh”) for CAPSAICIN leverages a different IP address (“87.10.220[.]221”), and follows the same approach to fetch the botnet for various Linux architectures to ensure maximum compatibility.

“The malware kills known botnet processes to ensure it is the only botnet executing on the victim host,” Li said. “‘CAPSAICIN’ establishes a connection socket with its C2 server, ‘192.110.247[.]46,’ and sends the victim host’s OS information and the nickname given by the malware back to the C2 server.”

CAPSAICIN then awaits for further commands to be executed on the compromised devices, including “PRIVMSG,” a command that could be used to perform various malicious operations such as follows –

  • GETIP – Get the IP address from an interface
  • CLEARHISTORY – Remove command history
  • FASTFLUX – Start a proxy to a port on another IP to an interface
  • RNDNICK – Randomize the victim hosts’ nickname
  • NICK – Change the nickname of the victim host
  • SERVER – Change command-and-control server
  • ENABLE – Enable the bot
  • KILL – Kill the session
  • GET – Download a file
  • VERSION – Requests version of the victim host
  • IRC – Forward a message to the server
  • SH – Execute shell commands
  • ISH – Interact with victim host’s shell
  • SHD – Execute shell command and ignore signals
  • INSTALL – Download and install a binary to “/var/bin”
  • BASH – Execute commands using bash
  • BINUPDATE – Update a binary to “/var/bin” via get
  • LOCKUP – Kill Telnet backdoor and execute the malware instead
  • HELP – Display help information about the malware
  • STD – Flooding attack with random hard-coded strings for the port number and target specified by the attacker
  • UNKNOWN – UDP flooding attack with random characters for the port number and target specified by the attacker
  • HTTP – HTTP flooding attack.
  • HOLD – TCP connection flooding attack.
  • JUNK – TCP flooding attack.
  • BLACKNURSE – BlackNurse attack, which is based on the ICMP packet flooding attack
  • DNS – DNS amplification flooding attack
  • KILLALL – Stop all DDoS attacks
  • KILLMYEYEPEEUSINGHOIC – Terminate the original malware

“Although the weaknesses exploited in this attack had been exposed and patched nearly a decade ago, these attacks have remained continuously active worldwide,” Li said. “It is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring.”

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:10 am, Jul 11, 2025
weather icon 28°C
L: 26° | H: 30°
few clouds
Humidity: 45 %
Pressure: 1021 mb
Wind: 2 mph NNW
Wind Gust: 3 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 13%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
26° | 30°°C 0 mm 0% 8 mph 47 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
29° | 29°°C 0 mm 0% 3 mph 42 % 1021 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 31°°C 0 mm 0% 5 mph 31 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 5 mph 28 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
weather icon
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€101,255.25
6.68%
Ethereum(ETH)
€2,579.67
8.69%
Tether(USDT)
€0.85
0.01%
XRP(XRP)
€2.23
6.97%
Solana(SOL)
€140.91
4.43%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.170131
9.79%
Shiba Inu(SHIB)
€0.000011
7.31%
Pepe(PEPE)
€0.000011
16.09%
Peanut the Squirrel(PNUT)
€0.246894
20.17%
Scroll to Top