Aggressive Scans by Hajime Botnet Targeting Port 8291 With a new Exploit

Hajime Botnet variant made a massive come back with new features and this time it targets port 8291 to check whether the device running vulnerable Mikrotik RouterOS.

Attackers propagating the bot to exploit the vulnerabilities in the RouterOS that allow’s them to execute remote execution code on the device.

The MikroTik RouterOS is based on the Linux kernel and it is mostly used by ISPs and the botnet is exploiting the known vulnerabilities in HTTP, SMB and password brute forcing.

How the Infection Takes place – Port 8291

The latest variant of Hajime Botnet is efficient to launch an aggressive scanning over Port 8291 to detect the publically available devices and to exploit the devices connected with it.

Chimay Red‘ HTTP Exploit code found in the attack modules that could exploit the vulnerability in its HTTP web server process due to improper validation of user-supplied input.

The worm launches a very aggressive SYN scan to port 8291 and if the port 8291 is open it check’s for other common ports next (80,81,82,8080,8081,8082,8089,8181,8880). It uses to check the device version and sends the exploit shellcodes.

Also Read How to protect your Organization From DDOS Attack

Netlab logged more than 861,131 unique scan source IPs (72 Hours). Netlab and Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.

According to Netlab, the top three scan sources are Brazil (585k), Iran (51.8k), Russia (26.4k). Radware and Netlab published technical write-ups.

Suggested mitigations

  • Block unwanted request via 8291.
  • Update MikroTik firmware to v6.41.3 (or at least, above v6.38.5).


06B4D50254C6C112437A3ED893EF40B4 .i.mipseb
93A1A080FCDE07E512E7485C92861B69 atk.mipseb
fc834c015b357c687477cb9116531de7 atk.mipseb.upx.unpack
Guru Baran

Recent Posts

Dell, HP, & Lenovo System Found Using Outdated OpenSSL Cryptographic Library

The cybersecurity researchers at Binarly recently discovered that outdated versions of the OpenSSL cryptographic library…

1 day ago

Chrome Zero-Day Bug Actively Exploited in the Wild – Google Emergency Update!

The eighth zero-day vulnerability used in attacks this year has been fixed by Google in…

2 days ago

Operation HAECHI III – INTERPOL Arrested 1000 Cyber Criminals & Seized $130 Million

Recently, there have been almost 1000 arrests made as a result of a police operation…

4 days ago

Hackers Rewritten The RansomExx Ransomware in Rust Language To Evade Detection

There has recently been a discovery made by IBM Security X-Force Threat Researchers regarding a…

5 days ago

Web Application Penetration Testing Checklist – A Detailed Cheat Sheet

Web Application Pentesting is a method of identifying, analyzing and Report the vulnerabilities which are…

6 days ago

Chrome Extension Deploy Windows Malware to Steal Cryptocurrency and Clipboard Contents

In order to steal cryptocurrency and clipboard contents, ViperSoftX was detected by the security analysts…

7 days ago