Dark Mirai botnet spreads targeting RCE on TP-Link routers

A botnet tracked as Dark Mirai spreads by exploiting a new vulnerability affecting TP-Link TL-WR840N EU V5 home routers.

Dark Mirai botnet spreads by exploiting a new vulnerability, tracked as CVE-2021-41653, affecting TP-Link TL-WR840N EU V5 home routers.

“The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.” reads the description for the CVE-2021-41653 flaw.

TP-Link addressed the flaw on November 12, 2021 with the release of the firmware update TL-WR840N(EU)_V5_211109.

The vulnerability was discovered by the security researcher Kamilló Matek (@k4m1ll0) who also published a PoC exploit for the flaw.

Researchers from Fortinet reported that botnet operators added the exploit for this RCE to their operation only two weeks after TP-Link released the firmware update.

The Dark Mirai botnet is based on Mirai’s code that is publicly available, in the latest campaign detailed by Fortinet it is exploiting the flaw to force vulnerable routers to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads.

Below are the two requests sent to the devices to compromise them:

The researchers pointed out that successful exploitation requires authentication of the routers.

Like the Mirai botnet, Dark Mirai determines the victim’s architecture to fetch and download the matching payload. Then the bot blocks connections to commonly targeted ports to prevent other malware from infecting the device.

Once installed the malware, it waits for a command from the C&C (command and control) server to perform some variation of a DoS (denial of service) attack.

Fortinet published a list of Indicators of Compromise (IoCs) for the recent attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Next BlackCat ransomware, a very sophisticated malware written in Rust »

Previous « Mozilla fixed high-severity bugs in Firefox and Thunderbird mail client

Published by

Pierluigi Paganini

Tags: Dark MiraiHackinghacking newsinformation security newsIT Information SecuritymalwarePierluigi PaganiniSecurity AffairsSecurity NewsTP-Link

3 years ago

A bug in Chrome Password Manager caused user credentials to disappear

Google addressed a Chrome's Password Manager bug that caused user credentials to disappear temporarily for…

2 hours ago

Security

BIND updates fix four high-severity DoS bugs in the DNS software suite

The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS…

13 hours ago

Breaking News

Terrorist Activity is Accelerating in Cyberspace – Risk Precursor to Summer Olympics and Elections

Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks.…

18 hours ago

Security

Progress Software fixed critical RCE CVE-2024-6327 in the Telerik Report Server

Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report…

1 day ago

Hacking

Critical bug in Docker Engine allowed attackers to bypass authorization plugins

A critical flaw in some versions of Docker Engine can be exploited to bypass authorization…

1 day ago

Security

Hackers exploit Microsoft Defender SmartScreen bug CVE-2024-21412 to deliver ACR, Lumma, and Meduza Stealers

The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers…

2 days ago

This website uses cookies.