CVE/vulnerability

DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

A new Mirai-based botnet, “Hail Cock Botnet,” has been exploiting vulnerable IoT devices, including DigiEver DVRs and TP-Link devices with CVE-2023-1389.

The botnet, active since September 2024, leverages a variant of Mirai malware with enhanced encryption. 

A recent uptick in attacks targeting the URI /cgi-bin/cgi_main.cgi, exploiting an RCE vulnerability in DigiEver DS-2105 Pro devices, aligns with this campaign. While the vulnerability lacks a CVE, it was previously disclosed by Ta-Lun Yen of TXOne Research.

The researcher identified vulnerable DigiEver DVRs exposed online and by analyzing the firmware, they discovered the `/cgi-bin/cgi_main.cgi` endpoint.

Exploiting this endpoint, they successfully executed arbitrary code on the vulnerable devices, potentially enabling remote control or data theft.

Endpoint with suspected vulnerability

It was discovered targeting devices with known vulnerabilities and exploiting command injection flaws in DigiEver routers (/cfg_system_time.htm ntp parameter), TP-Link routers (/cgi-bin/luci;stok=/locale endpoint), and Tenda HG6 routers (/boaform/admin/formTracert). 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The botnet injects commands to download malicious scripts from remote servers, which then fetch and execute Mirai-based malware, where the attackers also target other vulnerabilities like CVE-2018-17532 using similar techniques.  

Contents of the “b.sh” shell script

The Mirai-based malware samples analyzed employed a sophisticated multi-layer encryption scheme, combining XOR and ChaCha20 algorithms, which, while not entirely novel, demonstrates a clear evolution in the tactics of botnet operators. 

It’s ability to decrypt critical strings, such as botnet affiliation messages and default device credentials, highlights the increasing complexity of these threats and by leveraging advanced cryptographic methods, the malware aims to evade detection and hinder analysis efforts, thereby expanding its reach and impact. 

Decrypting with Salsa20 and ChaCha20

Akamai analyzed malware samples in a sandbox environment and observed persistence mechanisms, where the malware creates a cron job to download a shell script named “wget.sh” from “hailcocks.ru” and executes it, which likely establishes communication with the botnet’s C2 server at “kingstonwikkerink.dyn.” 

The malware also leaves a fingerprint in the console, with older versions announcing its affiliation to “hail cock botnet” and newer ones displaying a seemingly harmless message, “I just wanna look after my cats, man.”. 

Newer malware console output message

As evidenced by the recent operation of the Hail Cock botnet, cybercriminals create botnets by utilizing obsolete hardware and firmware, where devices like the 10-year-old DigiEver DS-2105 Pro, lacking manufacturer support for security patches, are prime targets. 

To mitigate risks, users should upgrade vulnerable devices to newer, more secure models, especially when manufacturers cease providing updates. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular open-source…

2 hours ago

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing by…

2 hours ago

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also come…

8 hours ago

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers to…

8 hours ago

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice," following…

8 hours ago

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in Microsoft…

8 hours ago