Dark Mirai botnet spreads targeting RCE on TP-Link routers

A botnet tracked as Dark Mirai spreads by exploiting a new vulnerability affecting TP-Link TL-WR840N EU V5 home routers.

Dark Mirai botnet spreads by exploiting a new vulnerability, tracked as CVE-2021-41653, affecting TP-Link TL-WR840N EU V5 home routers.

“The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.” reads the description for the CVE-2021-41653 flaw.

TP-Link addressed the flaw on November 12, 2021 with the release of the firmware update TL-WR840N(EU)_V5_211109.

The vulnerability was discovered by the security researcher Kamilló Matek (@k4m1ll0) who also published a PoC exploit for the flaw.

Researchers from Fortinet reported that botnet operators added the exploit for this RCE to their operation only two weeks after TP-Link released the firmware update.

The Dark Mirai botnet is based on Mirai’s code that is publicly available, in the latest campaign detailed by Fortinet it is exploiting the flaw to force vulnerable routers to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads.

Below are the two requests sent to the devices to compromise them:

The researchers pointed out that successful exploitation requires authentication of the routers.

Like the Mirai botnet, Dark Mirai determines the victim’s architecture to fetch and download the matching payload. Then the bot blocks connections to commonly targeted ports to prevent other malware from infecting the device.

Once installed the malware, it waits for a command from the C&C (command and control) server to perform some variation of a DoS (denial of service) attack.

Fortinet published a list of Indicators of Compromise (IoCs) for the recent attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]