www.fortinet.com Open in urlscan Pro
2a05:d014:f3c:6c02:209f:ae6c:3c6e:e3dd  Public Scan

Form analysis
1 forms found in the DOM

GET /blog/search

<form class="b3-searchbox__form" action="/blog/search" method="get">
  <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
  <button class="b3-searchbox__icon" aria-label="Search" type="submit">
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
        fill="#fff">
      </path>
    </svg>
  </button>
</form>

Text Content

Blog
 * Categories
   * Business & Technology
   * FortiGuard Labs Threat Research
   * Industry Trends
   * Life at Fortinet
   * Partners
   * Customer Stories
   * PSIRT Blogs
 * Business & Technology
 * FortiGuard Labs Threat Research
 * Industry Trends
 * Life at Fortinet
 * Partners
 * Customer Stories
 * PSIRT Blogs
 * CISO Collective
 * Subscribe





FortiGuard Labs Threat Research


BOTNETS CONTINUE TO TARGET AGING D-LINK VULNERABILITIES

By Vincent Li | December 26, 2024
 * Article Contents
 * Incidents
 * FICORA
 * CAPSAICIN
 * Conclusion
   Fortinet Protections
 * IOCs
   URLsHostsFiles

By Vincent Li | December 26, 2024

Affected Platforms: D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware
1.04b12 and earlier. D-Link DIR-806 devices. D-Link GO-RT-AC750
GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02. D-Link DIR-845L router
v1.01KRb03 and before
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High

FortiGuard Labs noticed a spike in the activity of two different botnets in
October and November of 2024. One was the Mirai variant “FICORA,” and the other
was the Kaiten variant “CAPSAICIN.” These botnets are frequently spread through
documented D-Link vulnerabilities that allow remote attackers to execute
malicious commands via a GetDeviceSettings action on the HNAP (Home Network
Administration Protocol) interface. This HNAP weakness was first exposed almost
a decade ago, with numerous devices affected by a variety of CVE numbers,
including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.


Figure 1: IPS Telemetry.

According to our IPS telemetry, attackers frequently reuse older attacks, which
accounts for the continued spread of the “FICORA” and “CAPSAICIN” botnets to
victim hosts and infected targets. This article looks at their infected traffic
and offers insights into these botnets.


INCIDENTS

The attackers we identified spreading the “FICORA” botnet triggered the incident
from 185[.]191[.]126[.]213 and 185[.]191[.]126[.]248, which are servers located
in the Netherlands.

Because this latest “FICORA” attack targeted many countries around the world, we
speculate that this was not a targeted attack.


Figure 2: “FICORA” Telemetry.

“CAPSAICIN,” unlike “FICORA,” was only intensely active over two days—October 21
and 22, 2024. East Asian countries bore the brunt of those incidents by
attackers actively spreading the “CAPSAICIN” botnet.


Figure 3: “CAPSAICIN” Telemetry.


FICORA

The “FICORA” botnet downloads a shell script named “multi,” executes the script,
and then removes it after execution.


Figure 4: Malicious “FICORA” command exploiting a D-Link vulnerability.

The shell script “multi” uses multiple strategies to download the malware
“FICORA,” such as “wget,” “ftpget,” “curl,” and “tftp.”


Figure 5: Downloader script "multi" using the “curl” command.




Figure 6: Downloader script "multi" using the “tftp” command.

This downloader script first kills all processes with the same file extension as
the malware “FICORA.” It then downloads and executes its various malware by
targeting different Linux architectures, including “arc,” “arm,” “arm5,” “arm6,”
“arm7,” “i486,” “i586,” “i686,” “m68k,” “mips,” “mipsel,” “powerpc,”
“powerpc-440fp,” and “sparc.”

The following analysis is based on “la.bot.arm7.” “FICORA” encodes its
configuration with the ChaCha20 encryption algorithm. This configuration
includes its C2 server domain and a unique string.


Figure 7: Decoded configuration that had been encoded with the ChaCha20
algorithm.




Figure 8: Decoded ChaCha20-encoded configuration—C2 server domain.




Figure 9: Decoded ChaCha20-encoded configuration with unique string.

The scanner in “FICORA” includes a hard-coded username and password for its
brute force attack function.


Figure 10: Brute force attack function with hard-coded username and password.




Figure 11: Hard-coded username list.




Figure 12: Hard-coded password list.

The malware also embeds a shell script with hexadecimal ASCII characters and
constructs it during the scanner's execution. The shell script tries to identify
any process containing the keyword “dvrHelper,” which is probably another
malware and kills it.


Figure 13: Embedded hexadecimal script.




Figure 14: Embedded script with plain text.

The malware “FICORA” is a variant of the Mirai malware. It can be identified by
its similar architecture. It also includes DDoS attack functions using protocols
like “UDP,” “TCP,” and “DNS.”


Figure 15: UDP flooding attack function.


CAPSAICIN

The malware “CAPSAICIN”’s downloader is delivered from 87[.]10[.]220[.]221.


Figure 16: Malicious “CAPSAICIN” command targeting a D-Link Vulnerability.

The shell script “bins.sh” downloads and executes the malware “CAPSAICIN” with
prefix file name “yakuza” targeting different Linux architectures, including
“arm,” “arm5,” “arm6,” “arm7,” “i586,” “i686,” “m68k,” “mips,” “mipsel,” “ppc,”
“sparc,” and “x86.”


Figure 17: Downloader script "bins.sh."

We will focus on “yakuza.x86” for the following analysis. Once we execute the
malware, it pops up the string “CAPSAICIN” where the malware variant name is
given.


Figure 18: Pop-up string after execution.

The malware kills known botnet processes to ensure it is the only botnet
executing on the victim host.


Figure 19: Killing known botnets.




Figure 20: The list of known botnet file names.

“CAPSAICIN” establishes a connection socket with its C2 server,
“192[.]110[.]247[.]46,” and sends the victim host’s OS information and the
nickname given by the malware back to the C2 server.


Figure 21: “Send” function with specified string.




Figure 22: Network packet content.

It waits for a command from the C2 server to execute numerous functions listed
below.


Figure 23: Function calls.

Using its “PRIVMSG” function, “CAPSAICIN” sets up environment variables for more
functions the C2 server can conduct using the following commands.


Figure 24: C2 commands.

In addition to the above commands, the “PRIVMSG” function can trigger DDoS
attacks using the following commands from the C2 server.


Figure 25: DDoS attack commands.

In addition to these attack functions, the malware includes a help message for
each function to remind the attacker of needed parameters.

The malware “CAPSAICIN” seems to be a variant based on the Keksec group’s
botnets. According to hard-coded information found in version 17.0.0 of the
malware developed by the Keksec group, we surmise that “CAPSAICIN” was developed
based on that version.


Figure 26: Malware version.


CONCLUSION

Although the weaknesses exploited in this attack had been exposed and patched
nearly a decade ago, these attacks have remained continuously active worldwide.
FortiGuard Labs discovered that “FICORA” and “CAPSAICIN” spread through this
weakness. Because of this, it is crucial for every enterprise to regularly
update the kernel of their devices and maintain comprehensive monitoring. These
steps will help reduce the likelihood of malware being deployed through this
vulnerability.


FORTINET PROTECTIONS

The malware described in this report is detected and blocked by FortiGuard
Antivirus as:

ELF/Gafgyt.ST!tr
ELF/Gafgyt.C!tr
ELF/Gafgyt.AEA!tr
BASH/TrojanDownloader.SH!tr
BASH/Mirai.AEH!tr.dldr
ELF/Mirai.A!tr
ELF/Mirai.CTQ!tr
ELF/Mirai.CLY!tr
BASH/Agent.SHS!tr.dldr


FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus
service. The FortiGuard AntiVirus engine is part of each of these solutions. As
a result, customers who have these products with up-to-date protections are
protected.

The FortiGuard Web Filtering Service blocks the C2 server.

FortiGuard Labs provides IPS signature against attacks exploiting the following
vulnerabilities:

CVE-2015-2051: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution
CVE-2019-10891: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution
CVE-2022-37056: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution
CVE-2024-33112: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution

We also suggest that organizations go through Fortinet’s free cybersecurity
training module: Fortinet Certified Fundamentals (FCF) in Cybersecurity. This
module is designed to help end users learn how to identify and protect
themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block
these attacks by aggregating malicious source IP data from the Fortinet
distributed network of threat sensors, CERTs, MITRE, cooperative competitors,
and other global sources that collaborate to provide up-to-date threat
intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your
organization, please contact our Global FortiGuard Incident Response Team.


IOCS


URLS

FICORA

hxxp://103[.]149[.]87[.]69/multi
hxxp://103[.]149[.]87[.]69/la.bot.arc
hxxp://103[.]149[.]87[.]69/la.bot.arm
hxxp://103[.]149[.]87[.]69/la.bot.arm5
hxxp://103[.]149[.]87[.]69/la.bot.arm6
hxxp://103[.]149[.]87[.]69/la.bot.arm7
hxxp://103[.]149[.]87[.]69/la.bot.m68k
hxxp://103[.]149[.]87[.]69/la.bot.mips
hxxp://103[.]149[.]87[.]69/la.bot.mipsel
hxxp://103[.]149[.]87[.]69/la.bot.powerpc
hxxp://103[.]149[.]87[.]69/la.bot.sh4
hxxp://103[.]149[.]87[.]69/la.bot.sparc


CAPSAICIN

hxxp://87[.]11[.]174[.]141/bins.sh
hxxp://pirati[.]abuser[.]eu/yakuza.yak.sh
hxxp://pirati[.]abuser[.]eu/yakuza.arm5
hxxp://pirati[.]abuser[.]eu/yakuza.arm6
hxxp://pirati[.]abuser[.]eu/yakuza.arm7
hxxp://pirati[.]abuser[.]eu/yakuza.i586
hxxp://pirati[.]abuser[.]eu/yakuza.i686
hxxp://pirati[.]abuser[.]eu/yakuza.m68k
hxxp://pirati[.]abuser[.]eu/yakuza.mips
hxxp://pirati[.]abuser[.]eu/yakuza.mipsel
hxxp://pirati[.]abuser[.]eu/yakuza.ppc
hxxp://pirati[.]abuser[.]eu/yakuza.sparc
hxxp://pirati[.]abuser[.]eu/yakuza.x86
hxxp://87[.]10[.]220[.]221/bins.sh
hxxp://87[.]10[.]220[.]221/yakuza.sh
hxxp://87[.]10[.]220[.]221/yakuza.arm4
hxxp://87[.]10[.]220[.]221/yakuza.arm5
hxxp://87[.]10[.]220[.]221/yakuza.arm6
hxxp://87[.]10[.]220[.]221/yakuza.arm7
hxxp://87[.]10[.]220[.]221/yakuza.i586
hxxp://87[.]10[.]220[.]221/yakuza.i686
hxxp://87[.]10[.]220[.]221/yakuza.m68k
hxxp://87[.]10[.]220[.]221/yakuza.mips
hxxp://87[.]10[.]220[.]221/yakuza.mipsel
hxxp://87[.]10[.]220[.]221/yakuza.ppc
hxxp://87[.]10[.]220[.]221/yakuza.sparc
hxxp://87[.]10[.]220[.]221/yakuza.x86


HOSTS

103[.]149[.]87[.]69
ru[.]coziest[.]lol
f[.]codingdrunk[.]cc
www[.]codingdrunk[.]in
eighteen[.]pirate
nineteen[.]libre
75cents[.]libre
2joints[.]libre
fortyfivehundred[.]dyn
21savage[.]dyn
imaverygoodbadboy[.]libre
le[.]codingdrunk[.]in
87[.]11[.]174[.]141
pirati[.]abuser[.]eu
87[.]10[.]220[.]221
45[.]86[.]86[.]60
194[.]110[.]247[.]46


FILES

DOWNLOADER

f71dc58cc969e79cb0fdfe5163fbb9ed4fee5e13cc9407a11d231601ee4c6e23
ea83411bd7b6e5a7364f7b8b9018f0f17f7084aeb58a47736dd80c99cfeac7f1
48a04c7c33a787ef72f1a61aec9fad87d6bd9c49542f52af7e029ac83475f45d
18c92006951f93a77df14eca6430f32389080838d97c9e47364bf82f6c21a907


FICORA

9b161a32d89f9b19d40cd4c21d436c1daf208b5d159ffe1df7ad5fd1a57610e5
faeea9d5091384195e87caae9dd88010c9a2b3b2c88ae9cac8d79fd94f250e9f
10d7aedc963ea77302b967aad100d7dd90d95abcdb099c5a0a2df309c52c32b8
7f6912de8bef9ced5b9018401452278570b4264bb1e935292575f2c3a0616ec4
a06fd0b8936f5b2370db5f7ec933d53bd8a1bf5042cdc5c052390d1ecc7c0e07
764a03bf28f9eec50a1bd994308e977a64201fbe5d41337bdcc942c74861bcd3
df176fb8cfbc7512c77673f862e73833641ebb0d43213492c168f99302dcd5e3
ac2df391ede03df27bcf238077d2dddcde24cd86f16202c5c51ecd31b7596a68
ca3f6dce945ccad5a50ea01262b2d42171f893632fc5c5b8ce4499990e978e5b
afee245b6f999f6b9d0dd997436df5f2abfb3c8d2a8811ff57e3c21637207d62
ec508df7cb142a639b0c33f710d5e49c29a5a578521b6306bee28012aadde4a8


CAPSAICIN

8349ba17f028b6a17aaa09cd17f1107409611a0734e06e6047ccc33e8ff669b0
b3ad8409d82500e790e6599337abe4d6edf5bd4c6737f8357d19edd82c88b064
ec87dc841af77ec2987f3e8ae316143218e9557e281ca13fb954536aa9f9caf1
784c9711eadceb7fedf022b7d7f00cff7a75d05c18ff726e257602e3a3ccccc1
bde6ef047e0880ac7ef02e56eb87d5bc39116e98ef97a5b1960e9a55cea5082b
c7be8d1b8948e1cb095d46376ced64367718ed2d9270c2fc99c7052a9d1ffed7
4600703535e35b464f0198a1fa95e3668a0c956ab68ce7b719c28031d69b86ff
6e3ef9404817e168c974000205b27723bc93abd7fbf0581c16bb5d2e1c5c6e4a
32e66b87f47245a892b102b7141d3845540b270c278e221f502807758a4e5dee
540c00e6c0b53332128b605b0d5e0926db0560a541bb13448d094764844763df
b74dbd02b7ebb51700f3c5900283e46570fe497f9b415d25a029623118073519
148f6b990fc1f1903287cd5c20276664b332dd3ba8d58f2bf8c26334c93c3af5
464e2f1faab2a40db44f118f7c3d1f9b300297fe6ced83fabe87563fc82efe95
b699cd64b9895cdcc325d7dd96c9eca623d3ec0247d20f39323547132c8fa63b
1007f5613a91a5d4170f28e24bfa704c8a63d95a2b4d033ff2bff7e2fe3dcffe
7a815d4ca3771de8a71cde2bdacf951bf48ea5854eb0a2af5db7d13ad51c44ab
d6a2a22000d68d79caeae482d8cf092c2d84d55dccee05e179a961c72f77b1ba
7ab36a93f009058e60c8a45b900c1c7ae38c96005a43a39e45be9dc7af9d6da8
803abfe19cdc6c0c41acfeb210a2361cab96d5926b2c43e5eb3b589a6ed189ad
7b29053306f194ca75021952f97f894d8eae6d2e1d02939df37b62d3845bfdb7
59704cf55b9fa439d6f7a36821a50178e9d73ddc5407ff340460c054d7defc54
aaa49b7b4f1e71623c42bc77bb7aa40534bcb7312da511b041799bf0e1a63ee7
1ca1d5a53c4379c3015c74af2b18c1d9285ac1a48d515f9b7827e4f900a61bde



Tags:

botnets


RELATED POSTS

FortiGuard Labs Threat Research

I’VE GOT TRICKBOT UNDER MY SCREEN



FortiGuard Labs Threat Research

A WICKED FAMILY OF BOTS



FortiGuard Labs Threat Research

REPORT: CYBERCRIMINALS ARE BUILDING AN ARMY OF THINGS CREATING A TIPPING POINT
FOR CYBERSECURITY


 * 
 * 
 * 
 * 
 * 
 * 

NEWS & ARTICLES

 * News Releases
 * News Articles

SECURITY RESEARCH

 * Threat Research
 * FortiGuard Labs
 * Threat Map
 * Ransomware Prevention

CONNECT WITH US

 * Fortinet Community
 * Partner Portal
 * Investor Relations
 * Product Certifications

COMPANY

 * About Us
 * Exec Mgmt
 * Careers
 * Training
 * Events
 * Industry Awards
 * Social Responsibility
 * CyberGlossary
 * Sitemap
 * Blog Sitemap

CONTACT US

 * (866) 868-3678

Copyright © 2024 Fortinet, Inc. All Rights Reserved

Terms of Services Privacy Policy | Cookie Settings
Also of Interest:
 * Leader in Gartner Magic Quadrant for SD-WAN
 * Life at Fortinet
 * FortiGuard Labs Threat Research


COOKIE SETTINGS

By clicking "Accept All", you are consenting to the use of cookies on your
device to enhance site functionality, analyze site usage, and assist in our
marketing efforts. This includes the use of cookies and similar technologies to
show you personalized advertising on other websites through our partners. To
accept only necessary cookies, select “Reject All.” You can visit the Cookie
Settings link, which contains details on specific cookies, categories, and
preference options. Your choice will apply only to your current browser/device.
Please also see our Privacy Policy for more information on how we process
personal data.privacy policy
Reject All Accept All
Cookie Settings



COOKIE PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * FUNCTIONAL COOKIES


 * ADVERTISING COOKIES

YOUR PRIVACY

A website may store or retrieve certain information about your browser by using
cookies. Cookies store information about how a visitor interacts with a website.
The information may be about you, your preferences, your browser, or may be used
just to make the website function. We allow certain advertising and analytics
partners to collect information from our site through cookies and similar
technologies to deliver ads which are more relevant to you, and assist us with
advertising-related analytics (e.g., measuring ad performance, optimizing our ad
campaigns). This may be considered "selling" or "sharing” / disclosure for
targeted online advertising under certain laws. To opt out of these activities,
move the toggles for "Performance" and "Advertising" to the left and press
"Confirm My Choices." You can also click on the different category headings if
you would like to read more about the cookies that we use, and adjust your
preferences. Please note that your choice will apply only to your current
browser/device. You can choose not to allow some types of cookies; however,
please note that blocking some categories of cookies may impact your experience
of the site. You can visit our Privacy Policy for more information.
privacy policy

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the basic functionality of the website. The
website would not work without these cookies, so they cannot be switched off in
our systems. You can set your browser to block or alert you about these cookies,
but some parts of the site will not work.

PERFORMANCE COOKIES

Performance Cookies


These cookies help us collect certain data, such as count visits and traffic
sources, so that we can measure the performance of our site, improve the
content, and build better features that enhance your experience. They help us to
know which pages are the most and least popular and see how visitors move around
the site. They also allow us to measure the effectiveness of our ads on other
sites.

FUNCTIONAL COOKIES

Functional Cookies


These cookies allow our website to remember your preferences and choices made on
the website, such as region and language, which help us provide enhanced
functionality and personalization. These cookies may be set by us or by third
party providers whose services we have added to our pages. If you disable these
cookies, then some or all of these features may not function properly.

ADVERTISING COOKIES

Advertising Cookies


These cookies may be set through our website by our advertising partners, and
use information uniquely identifying your browser and internet device to build a
profile of your interests and show you relevant ads on other websites. If you
disable these cookies, you will experience less targeted advertising.

Back Button


COOKIE LIST

Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All