Multiple malware variants are targeting a security vulnerability affecting TP-Link Archer routers to ensnare them in the DDoS botnets.

Tracked as CVE-2023-1389, the flaw is an unauthenticated command injection flaw in the local API of the web management interface of the TP-Link Archer AX21 router that allows a remote attacker to execute arbitrary commands on the target system by passing specially crafted data to the application. TP-Link addressed the vulnerability in March 2023 in a firmware update.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have observed a surge in attacks targeting this vulnerability.

According to FortiGuard Labs, multiple botnets, including Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt variant aka Bashlite have been actively exploiting the vulnerability to compromise TP-Link Archer AX21 routers. The exploitation of this vulnerability enables attackers to take control of the devices, utilizing them for distributed denial-of-service (DDoS) attacks.

AGoent, a Golang-based agent bot, has been observed fetching a script file named ”exec.sh“ from ”hxxp://5[.]10[.]249[.]153,” subsequently downloading ELF files of various Linux-based architectures. The script then attempts to execute each file to identify the suitable architecture before removing them to eliminate any traces of intrusion.

Similarly, the Gafgyt variant infects Linux-based operating systems to launch DDoS attacks. This variant downloads the script file “bins.sh” from “hxxp://195[.]62[.]32[.]227” and executes it to initiate the attack.

Moobot, on the other hand, retrieves a script file named “1.sh” from “hxxp://91[.]92[.]253[.]70,” with its primary objective being to fetch ELF files with different architectures for further infection. Once executed, Moobot removes itself and all traces from the compromised device.

Furthermore, attackers have been observed employing variants of Mirai to exploit the vulnerability. The attack sequence typically involves downloading “tenda.sh” from “hxxp://94[.]156[.]8[.]244,” which subsequently fetches ELF execution files in various architectures from the same IP address. Miori, a Mirai variant, shares similar attack modules, utilizing batch scripts fetched from “hxxp://185[.]224[.]128[.]34” and employing both HTTP and TFTP protocols to retrieve ELF files.

Last April, researchers at Trend Micro reported that a variant of Mirai exploited the flaw to commandeer vulnerable TP-link routers to launch attacks on game servers.