Dark Mirai botnet spreads by exploiting a new vulnerability, tracked as CVE-2021-41653, affecting TP-Link TL-WR840N EU V5 home routers.
“The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.” reads the description for the CVE-2021-41653 flaw.
TP-Link addressed the flaw on November 12, 2021 with the release of the firmware update TL-WR840N(EU)_V5_211109.
The vulnerability was discovered by the security researcher Kamilló Matek (@k4m1ll0) who also published a PoC exploit for the flaw.
Researchers from Fortinet reported that botnet operators added the exploit for this RCE to their operation only two weeks after TP-Link released the firmware update.
The Dark Mirai botnet is based on Mirai’s code that is publicly available, in the latest campaign detailed by Fortinet it is exploiting the flaw to force vulnerable routers to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads.
Below are the two requests sent to the devices to compromise them:
The researchers pointed out that successful exploitation requires authentication of the routers.
Like the Mirai botnet, Dark Mirai determines the victim’s architecture to fetch and download the matching payload. Then the bot blocks connections to commonly targeted ports to prevent other malware from infecting the device.
Once installed the malware, it waits for a command from the C&C (command and control) server to perform some variation of a DoS (denial of service) attack.
Fortinet published a list of Indicators of Compromise (IoCs) for the recent attacks.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, botnet)
[adrotate banner=”5″]
[adrotate banner=”13″]
Security Affairs Malware newsletter includes a collection of the best articles and research on malware…
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…
Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…
FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…
Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…
This website uses cookies.