17 April 2024

Multiple botnets are hunting for vulnerable TP-Link routers


Multiple botnets are hunting for vulnerable TP-Link routers

Multiple malware variants are targeting a security vulnerability affecting TP-Link Archer routers to ensnare them in the DDoS botnets.

Tracked as CVE-2023-1389, the flaw is an unauthenticated command injection flaw in the local API of the web management interface of the TP-Link Archer AX21 router that allows a remote attacker to execute arbitrary commands on the target system by passing specially crafted data to the application. TP-Link addressed the vulnerability in March 2023 in a firmware update.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have observed a surge in attacks targeting this vulnerability.

According to FortiGuard Labs, multiple botnets, including Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt variant aka Bashlite have been actively exploiting the vulnerability to compromise TP-Link Archer AX21 routers. The exploitation of this vulnerability enables attackers to take control of the devices, utilizing them for distributed denial-of-service (DDoS) attacks.

AGoent, a Golang-based agent bot, has been observed fetching a script file named ”exec.sh“ from ”hxxp://5[.]10[.]249[.]153,” subsequently downloading ELF files of various Linux-based architectures. The script then attempts to execute each file to identify the suitable architecture before removing them to eliminate any traces of intrusion.

Similarly, the Gafgyt variant infects Linux-based operating systems to launch DDoS attacks. This variant downloads the script file “bins.sh” from “hxxp://195[.]62[.]32[.]227” and executes it to initiate the attack.

Moobot, on the other hand, retrieves a script file named “1.sh” from “hxxp://91[.]92[.]253[.]70,” with its primary objective being to fetch ELF files with different architectures for further infection. Once executed, Moobot removes itself and all traces from the compromised device.

Furthermore, attackers have been observed employing variants of Mirai to exploit the vulnerability. The attack sequence typically involves downloading “tenda.sh” from “hxxp://94[.]156[.]8[.]244,” which subsequently fetches ELF execution files in various architectures from the same IP address. Miori, a Mirai variant, shares similar attack modules, utilizing batch scripts fetched from “hxxp://185[.]224[.]128[.]34” and employing both HTTP and TFTP protocols to retrieve ELF files.

Last April, researchers at Trend Micro reported that a variant of Mirai exploited the flaw to commandeer vulnerable TP-link routers to launch attacks on game servers.

Back to the list

Latest Posts

New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024
Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024