Dark Mirai botnet spreads by exploiting a new vulnerability, tracked as CVE-2021-41653, affecting TP-Link TL-WR840N EU V5 home routers.
“The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.” reads the description for the CVE-2021-41653 flaw.
TP-Link addressed the flaw on November 12, 2021 with the release of the firmware update TL-WR840N(EU)_V5_211109.
The vulnerability was discovered by the security researcher Kamilló Matek (@k4m1ll0) who also published a PoC exploit for the flaw.
Researchers from Fortinet reported that botnet operators added the exploit for this RCE to their operation only two weeks after TP-Link released the firmware update.
The Dark Mirai botnet is based on Mirai’s code that is publicly available, in the latest campaign detailed by Fortinet it is exploiting the flaw to force vulnerable routers to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads.
Below are the two requests sent to the devices to compromise them:
The researchers pointed out that successful exploitation requires authentication of the routers.
Like the Mirai botnet, Dark Mirai determines the victim’s architecture to fetch and download the matching payload. Then the bot blocks connections to commonly targeted ports to prevent other malware from infecting the device.
Once installed the malware, it waits for a command from the C&C (command and control) server to perform some variation of a DoS (denial of service) attack.
Fortinet published a list of Indicators of Compromise (IoCs) for the recent attacks.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, botnet)
[adrotate banner=”5″]
[adrotate banner=”13″]
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.