Categories: Malware

Hackers Using Mirai Variant MooBot to Exploit D-Link Devices Bugs

In a new attack wave, MooBot, a variant of Mirai botnet malware, has been detected recently by the cybersecurity experts at Palo Alto Network’s Unit 42. 

At the beginning of last month, a new wave of attacks began to appear. This new wave of attacks targeted mostly vulnerable D-Link routers as part of this malicious campaign.

As a result of an analysis carried out by Fortinet analysts in December 2021, the Mirai variant, MooBot was discovered. It has been reported that the malware has updated the scope of its targeting now. 

In fact, botnets are likely to seek out untapped puddles of vulnerable devices that they can use as bait in order to entrap their victims.

There are several vulnerabilities in D-Link devices but among them, MooBot targeted the four critical ones, and here they are mentioned below:-

  • CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability (CVSS Version 2.0: 10.0 High)
  • CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability (CVSS Version 3.0: 9.8 Critical)
  • CVE-2022-26258: D-Link Remote Command Execution Vulnerability (CVSS Version 3.0: 9.8 Critical)
  • CVE-2022-28958: D-Link Remote Command Execution Vulnerability (CVSS Version 3.0: 9.8 Critical)

The vulnerabilities could be exploited remotely by attackers to execute code on the host 159.203.15[.]179 and download MooBot downloader from the host.

There have been security updates released by the vendor to mitigate the impact of the flaws. However, not all of the updates have been applied by all users.

Technical Analysis

There is a low attack complexity associated with the flaws which are exploited by the operators of MooBot. A malicious binary is retrieved by using arbitrary commands when RCE is gained on the targets.

On the C2 that is under the control of the threat actors, all the newly captured routers are recorded. Once the malware has decoded the configuration file’s hardcoded address, this calculation is carried out.

The addresses for C2 in Unit 42’s report are different from those in Fortinet’s report, which is a significant difference to pay attention to. An indication that the infrastructure of the threat actor has been refreshed.

A compromised D-Link device may cause users to notice a number of symptoms like:-

  • Internet speed drop issues
  • Unresponsiveness
  • Router overheating
  • Uncertain DNS configuration changes

Recommendations

In order to avoid this problem, cybersecurity researchers have urged users to update patches and software whenever possible. It is recommended that you follow the following recommendations if you believe that you may have already been compromised:-

  • It is recommended that you reset your router.
  • The password for your admin account needs to be changed.
  • Make sure you have the latest security updates installed.

Download Free SWG – Secure Web Filtering – E-book

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Top 20 Best Open-Source SOC Tools in 2025

As cyber threats continue to evolve, Security Operations Centers (SOCs) require robust tools to detect,…

1 hour ago

Hackers Exploit Fast Flux to Evade Detection and Obscure Malicious Servers

Cybersecurity agencies worldwide have issued a joint advisory warning against the growing threat posed by…

3 hours ago

Oracle Confirms The Data Breach- Starts Initiating Client Notifications

Oracle Corporation has confirmed a data breach involving its older Gen 1 servers, marking its…

3 hours ago

Vite Development Server Flaw Allows Attackers Bypass Path Restrictions

A critical security vulnerability, CVE-2025-31125, has been identified in the Vite development server. Due to improper…

4 hours ago

New Android Spyware Tricks Users by Demanding Passwords for Uninstallation

A newly identified Android spyware app is elevating its tactics to remain hidden and unremovable…

5 hours ago

Malicious PDFs Responsible for 22% of All Email-Based Cyber Threats

Malicious PDF files have emerged as a dominant threat vector in email-based cyberattacks, accounting for…

5 hours ago