Dark Mirai botnet spreads targeting RCE on TP-Link routers

A botnet tracked as Dark Mirai spreads by exploiting a new vulnerability affecting TP-Link TL-WR840N EU V5 home routers.

Dark Mirai botnet spreads by exploiting a new vulnerability, tracked as CVE-2021-41653, affecting TP-Link TL-WR840N EU V5 home routers.

“The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.” reads the description for the CVE-2021-41653 flaw.

TP-Link addressed the flaw on November 12, 2021 with the release of the firmware update TL-WR840N(EU)_V5_211109.

The vulnerability was discovered by the security researcher Kamilló Matek (@k4m1ll0) who also published a PoC exploit for the flaw.

Researchers from Fortinet reported that botnet operators added the exploit for this RCE to their operation only two weeks after TP-Link released the firmware update.

The Dark Mirai botnet is based on Mirai’s code that is publicly available, in the latest campaign detailed by Fortinet it is exploiting the flaw to force vulnerable routers to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads.

Below are the two requests sent to the devices to compromise them:

The researchers pointed out that successful exploitation requires authentication of the routers.

Like the Mirai botnet, Dark Mirai determines the victim’s architecture to fetch and download the matching payload. Then the bot blocks connections to commonly targeted ports to prevent other malware from infecting the device.

Once installed the malware, it waits for a command from the C&C (command and control) server to perform some variation of a DoS (denial of service) attack.

Fortinet published a list of Indicators of Compromise (IoCs) for the recent attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.