Moobot botnet is back and targets vulnerable D-Link routers

The Moobot botnet is behind a new wave of attacks that started in early August and that target vulnerable D-Link routers.

Palo Alto Network’s Unit 42 researchers reported a new wave of attacks launched by the Moobot botnet that target vulnerable D-Link routers.

The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products.

Now the MooBot has re-emerged in a new attack wave of attacks that started in August, targeting vulnerable D-Link routers. The botnet is exploiting both old and new exploits, below is list of vulnerabilities exploited:

CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
CVE-2022-26258: D-Link Remote Command Execution Vulnerability
CVE-2022-28958: D-Link Remote Command Execution Vulnerability

Threat actors explored the four D-Link vulnerabilities to gain remote code execution and download a MooBot downloader from 159.203.15[.]179.

“Upon execution, the binary file prints get haxored! to the console, spawns processes with random names and wipes out the executable file.” reads the analysis published by Unit 42. “As a variant, MooBot inherits Mirai’s most significant feature – a data section with embedded default login credentials and botnet configuration – but instead of using Mirai’s encryption key, 0xDEADBEEF, MooBot encrypts its data with 0x22.”

At the time of the analysis, the C2 server was offline. The analysis of the code revealed that the MooBot bot will also send heartbeat messages to the C2 server and parse commands from C2 to start a DDoS attack on a specific IP address and port number.

Researchers strongly recommend users of D-Link routers of applying patches and upgrades when possible. For users that suspect their router has been compromised, the experts recommend resetting the device, changing the admin password, and then installing the latest updates.

“The vulnerabilities mentioned above have low attack complexity but critical security impact that can lead to remote code execution. Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.