Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.
“These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the HNAP (Home Network Administration Protocol) interface,” Fortinet FortiGuard Labs researcher Vincent Li said in a Thursday analysis.
“This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.”
According to the cybersecurity company’s telemetry data, attacks involving FICORA have targeted various countries globally, whereas those related to CAPSAICIN primarily singled out East Asian territories like Japan and Taiwan. The CAPSAICIN activity is also said to have been “intensely” active only between October 21 and 22, 2024.
FICORA botnet attacks lead to the deployment of a downloader shell script (“multi”) from a remote server (“103.149.87[.]69”), which then proceeds to download the main payload for different Linux architectures separately using wget, ftpget, curl, and tftp commands.
Present within the botnet malware is a brute-force attack function containing a hard-coded list of usernames and passwords. The Mirai derivative also packs in features to conduct distributed denial-of-service (DDoS) attacks using UDP, TCP, and DNS protocols.
The downloader script (“bins.sh”) for CAPSAICIN leverages a different IP address (“87.10.220[.]221”), and follows the same approach to fetch the botnet for various Linux architectures to ensure maximum compatibility.
“The malware kills known botnet processes to ensure it is the only botnet executing on the victim host,” Li said. “‘CAPSAICIN’ establishes a connection socket with its C2 server, ‘192.110.247[.]46,’ and sends the victim host’s OS information and the nickname given by the malware back to the C2 server.”
CAPSAICIN then awaits for further commands to be executed on the compromised devices, including “PRIVMSG,” a command that could be used to perform various malicious operations such as follows –
“Although the weaknesses exploited in this attack had been exposed and patched nearly a decade ago, these attacks have remained continuously active worldwide,” Li said. “It is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring.”
