Moobot botnet is back and targets vulnerable D-Link routers

The Moobot botnet is behind a new wave of attacks that started in early August and that target vulnerable D-Link routers.

Palo Alto Network’s Unit 42 researchers reported a new wave of attacks launched by the Moobot botnet that target vulnerable D-Link routers.

The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products.

Now the MooBot has re-emerged in a new attack wave of attacks that started in August, targeting vulnerable D-Link routers. The botnet is exploiting both old and new exploits, below is list of vulnerabilities exploited:

• CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
• CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
• CVE-2022-26258: D-Link Remote Command Execution Vulnerability
• CVE-2022-28958: D-Link Remote Command Execution Vulnerability

Threat actors explored the four D-Link vulnerabilities to gain remote code execution and download a MooBot downloader from 159.203.15[.]179.

“Upon execution, the binary file prints get haxored! to the console, spawns processes with random names and wipes out the executable file.” reads the analysis published by Unit 42. “As a variant, MooBot inherits Mirai’s most significant feature – a data section with embedded default login credentials and botnet configuration – but instead of using Mirai’s encryption key, 0xDEADBEEF, MooBot encrypts its data with 0x22.”

At the time of the analysis, the C2 server was offline. The analysis of the code revealed that the MooBot bot will also send heartbeat messages to the C2 server and parse commands from C2 to start a DDoS attack on a specific IP address and port number.

Researchers strongly recommend users of D-Link routers of applying patches and upgrades when possible. For users that suspect their router has been compromised, the experts recommend resetting the device, changing the admin password, and then installing the latest updates.

“The vulnerabilities mentioned above have low attack complexity but critical security impact that can lead to remote code execution. Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

[adrotate banner=”5″]

[adrotate banner=”13″]