www.fortinet.com
Open in
urlscan Pro
2a05:d014:f3c:6c02:209f:ae6c:3c6e:e3dd
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
Submission: On April 18 via api from DE — Scanned from DE
Submission: On April 18 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog * Categories * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe FortiGuard Labs Threat Research BOTNETS CONTINUE EXPLOITING CVE-2023-1389 FOR WIDE-SCALE SPREAD By Cara Lin and Vincent Li | April 16, 2024 * Article Contents * Infection - CVE-2023-1389 AGoentGafgyt VariantMoobotMirai VariantMioriCondi * Conclusion Fortinet Protections * IOCs C2URLsFiles By Cara Lin and Vincent Li | April 16, 2024 Affected Platforms: TP-Link Archer AX21 (AX1800) Version 1.1.4 Build 20230219 or prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: High Last year, a command injection vulnerability, CVE-2023-1389, was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). FortiGuard Labs has developed an IPS signature to tackle this issue. Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt Variant. Peaks caused by these threats are evident in the following figure. This article will explore their infection traffic patterns and offer insights into these botnets. Figure 1: IPS telemetry INFECTION - CVE-2023-1389 This is an unauthenticated command injection vulnerability in the “locale” API available via the web management interface. Users query the specified form “country” and conduct a “write” operation, which is handled by the “set_country” function. It calls the “merge_config_by_country” function and concatenates the argument of the specified form “country” into a command string, which is executed by the “popen” function. Since the “country” field won’t be emptied, the attacker can achieve command injection. Figure 2: Vulnerability Proof-Of-Concept AGOENT AGoent is a Golang-based agent bot. It first fetches the script file ”exec.sh“ from ”hxxp://5[.]10[.]249[.]153,” which retrieves the ELF files of different Linux-based architectures. Figure 3: Exploit packet Figure 4: The script file “exec.sh” After downloading the ELF files, the script will attempt to execute each file to find the appropriate architecture and remove each file to erase intrusion traces. The following analysis will focus on the executed file designed for the”386” architecture. There are two primary behaviors. The first is to create the host username and password using random characters. Figure 5: Assembly Code for User Creation After user creation, the malware establishes a connection with the C&C (command and control) server and passes on the credentials just created by the malware. Figure 6: Malware Execution Figure 7: Established C2 session packet Figure 8: Established C2 session packet with the credential GAFGYT VARIANT Gafgyt, also known as BASHLITE, is malware that infects Linux architecture operating systems to launch a DDoS (distributed denial of service) attack. In this variant, the bot downloads the script file “bins.sh” from “hxxp://195[.]62[.]32[.]227” and then executes the script. Gafgyt retrieves Linux architecture execution files with the prefix filename “rebirth.” Figure 9: Exploit packet Figure 10: The script file “bins.sh” We will next focus on “rebirth.x86.” Gafgyt gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message. Figure 11: Initial connection message concatenation After establishing a connection with its C&C server, the malware receives a continuous "PING" command from the server to ensure persistence on the compromised target. Figure 12: C2 server connection The malware waits for any of the following commands from its C&C server. Each of them stands for a specified attack or function: * ”UDP“ stands for ”UDP Flooding Attack” * ”XMAS“ stands for ”XMAS Attack” * ”VSE“ stands for ”VSE Attack” * ”TCP” stands for ”TCP Flooding Attack” * ”HEX” stands for ”defining specified string within attack packets” * ”STOP” stands for ”stopping attack” Figure 13: Hand-coded commands MOOBOT Moobot fetches a script file from “hxxp://91[.]92[.]253[.]70.” The primary role of “1.sh” is to retrieve an ELF file with different architectures for further infection. Figure 14: Exploit packet Figure 15: The script file “1.sh” The following analysis looks at the execution file designed for the “x86_64” architecture. Once executed, it removes itself and erases all traces from the compromised device. It then displays “0x00000e9” in the console and starts contacting the C2 server “fjsnsinfinsf[.]ngcv[.]top” Figure 16: Moobot's C2 session Based on the XOR key “0xDEADBEEF” used for encoded strings and the hardcoded string “w5q6he3dbrsgmclkiu4to18npavj702f,” we can confirm this malware as Moobot. As the assembly indicates, a DDoS attack can be initiated on remote IPs via a C2 command. Figure 17: Assembly code for DDoS method MIRAI VARIANT Additionally, there is an attack using a variant of Mirai. The exploitation process begins by downloading “tenda.sh” from “hxxp://94[.]156[.]8[.]244.” This script file then downloads an ELF execution file from the same IP address, available in 13 different architectures. Figure 18: Exploit packet Figure 19: The script file "tenda.sh" The original execution file is compressed using UPX. Figure 20: UPX packed This Mirai variant displays the message, “faggot got malware'd,” and monitors processes to terminate those associated with packet analysis tools. It then sends packets to the C2 server “45[.]155[.]91[.]135:21425” and awaits additional instructions for attacking. Figure 21: Packet analysis tool list Below is an illustration of a DDoS attack scenario: The command and control (C2) server sends a packet with a length of 0x15, directing the endpoint to initiate an attack. The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victim's IP address and the port number 30129. Figure 22: C2 command packets MIORI Miori, another Mirai variant, shares similar modules. The batch script is fetched from “hxxp://185[.]224[.]128[.]34.” The downloader employs both HTTP and TFTP protocols to retrieve the ELF files. Figure 23: Exploit packet Figure 24: The script file "shk" Once executed, Miori displays “your device just got infected to a bootnoot” in the console and sends \x00\x00 to the C2 server “rooty[.]cc” on TCP port 33335. The XOR key used for decoding configuration is 0xDFEDDEEF, and a hardcoded password list is included for the brute force attack function. Figure 25: Hard-coded username/password list The attacking command packet resembles those seen in previous Mirai variants. Figure 26: C2 command packets CONDI Condi’s downloader script was retrieved using multiple protocols to enhance the infection rate. Figure 27: Exploit packet Figure 28: The script file "jack5tr.sh" Condi is executed with the parameter “work,” which is included in the first packet sent to the C2 server “bn[.]networkbn[.]click.” The command remains consistent with the version distributed last year, retaining the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system. Figure 29: C2 session It also scans active processes and cross-references with predefined strings to terminate processes with matching names. Figure 30: Check process Based on its selling page, Condi has updated its attacking methods, as shown below. Figure 31: Condi’s attacking methods CONCLUSION As usual, botnets relentlessly target IoT vulnerabilities, continuously attempting to exploit them. Despite the discovery and provided remediation for the vulnerability CVE-2023-1389 last year, numerous campaigns still exploit it, resulting in significant peaks in our IPS telemetry. Users should be vigilant against DDoS botnets and promptly apply patches to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors. FORTINET PROTECTIONS The malware described in this report is detected and blocked by FortiGuard Antivirus as: BASH/Mirai.AEH!tr.dldr ELF/Mirai.A!tr ELF/Mirai.BSC!tr ELF/Mirai.CDB!tr ELF/Mirai.GG!tr ELF/Mirai.L!tr ELF/Moobot.A!tr Linux/Mirai.BSC!tr Linux/Mirai.CEA!tr Linux/Mirai.CJS!tr Linux/Mirai.F!tr Linux/Mirai.IZ1H9!tr ELF/Mirai.AGIT!tr ELF/Gafgyt.BJ!tr ELF/Gafgyt.VE!tr ELF/Gafgyt.WN!tr.bdr Linux/Gafgyt.ARN!tr Linux/Agent.AAO!tr FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected. The FortiGuard Web Filtering Service blocks the C2 servers and downloads URLs. FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability: CVE-2023-1389: TP-Link.Archer.AX21.Unauthenticated.Command.Injection We also suggest that organizations go through Fortinet’s free cybersecurity training module: Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks. FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team. IOCS C2 fjsnsinfinsf[.]ngcv[.]top 45[.]155[.]91[.]135 rooty[.]cc bn[.]networkbn[.]click 5[.]10[.]249[.]153 195[.]62[.]32[.]227 URLS hxxp://91[.]92[.]253[.]70 hxxp://94[.]156[.]8[.]244 hxxp://103[.]188[.]244[.]189 hxxp://185[.]224[.]128[.]34 hxxp://5[.]10[.]249[.]153 hxxp://195[.]62[.]32[.]227 FILES 6104674bfa58ac11c697062d6068c568384f13037d1a146dbe25cd001104ca8b f33a02781d60ca36f4ee56579c6d33846c2549ad7556bca499c73302cee17514 d02381634921d92358577c106180eba766b98a520c907870898b2c32d7de4547 0a3fbc79e742354c8fc82830fc3426f7f8d3b900260c06aa58e53547b48feaa6 475487bf7b96fe3da321dac0b5f59231651fc3d71f86bf9580bfa77e59b0f2c8 a3e8493f2fb38b7f2ba309809577281d3cc25bee9fb3b5c0053a6e89de1dbce7 5e6deba076cbe7b9833d0ddee7c8065e91d13f1fc2a5c7daf4db36da458d689a 29ef4c5d9172b09d6abc08da800a5a09b460b98aaadf1aa29edda81300fcc609 e7af5f1d5d68f75ee03a37ee8016695e35edaae528cdba4ab7b9a90570a1e4be b45906c711ed4f109a10cfaffa0b4c18e56c6f6ddc8d100c87e0a0349a30293d e9e8fc16c586f51eb2f86db5a60e54b46d66275fdd6df8fb72e96e50014a1290 b731fe97dc723d0d5a51fe8203b33f16a51183b3dab4c9c8ee7bd304462ad192 1ffc3c457eb84aa36cd4bc7f3d0dc9a6b8079d63c2bab03c3a646906152876c0 d8b4d8950ec1a3f812af69d261f452aae2b19d3bced8551f9178e40ca0c1bcf8 8562c9ad26ab3ad7d16ac43c9dcbf600d5319e5432d72dc684983cc5f64ff41e 092b3a57ee4ecd64591616da6ce0cfb9f01930dbeb179f05e1dbbdbc918098ac 092b3a57ee4ecd64591616da6ce0cfb9f01930dbeb179f05e1dbbdbc918098ac c65f86d5917025a8674bf9758870decd923ea2662d6611a1365303f4fe55fa26 65f64b270a10255db1e55a158a02829a3af982cbcd4b56f14e58132cbb45e6a9 a383319a28d50e8c280646dc53a2f33fec62ad69ef4948dae76a4f1f6fe2f159 7ef190f05fe9be5d7f38bdb556fffdb7d9b5633ddf60cc43b98c09887a292c49 7322da39ce05e7496fcaef6602a15266943a59a5027e5ea97344133d42e0f6e3 a1c14e99cc8490a4d503ffd660e2d881fa5d766a4288eea328f73bd8ee99078d a7d3ffbb3edff1956d7422dd04305d8c3ac16418e2eb190ed9a08a1c275c5e8e 1427deedaafd5345aa3c41d39b14b23a454ed894c73f3c9224cd0b51c88afcfa f97c9802324eeb0ebdfc15ce3e390c8cca5a9062c3348f7d2b5b00d1efa49508 3307e4d1daefca1eeb1ee4a6dea7738594076aa04f3e7e470a8b2ae32b9e4893 86fe87891311228b58a606114a2d41d94b520c5c4be6ff6bc0add45f5b6250ef b9962c3e066904cf8df05f60b9bd21d979466aca64596d2b7557be7fa4358c4d a48807aaa7be63c41bbabcf55d40cba416bc23432f247e4038ed0cd32fd05519 4119530c4dba8a53ba081094ca163f28a51bd37c6ee40b4aa55097939ec1df38 2be7481bfec8fcbb370afa00e9befa97000e7aa987a17cd6c48fc9f2d0b60110 b605570db3158ba355552b5b638e7df4b0888d56d206004d9af6901c4770c75f 0dbf4c327df0159305ffc9776ad2fbdd655fe513712f75e360e211aa6686f69a ae2d6b41150d61b828368847a0eba51d4562fa2bae4478c10940f5e3e3e46c6b 581adb7645ca54dbc3a043ee39a09037a7b5f572c1b8c137cb0c751b26ff9ebd 18753e0c31c2100889f0e085ba03eb1c616dcc50606d9733574b68e75be2ee7a 123a392cfa9114daeab28976f5ce740da4288d6ac516b5afbf1ea17e28eaada1 8317c084d08450a220fe7f38ce6b1a767b2e8776f8f4a436b84b912476b00cbc 94c9297951a48fcc0f22dac94da599bc2651c757d27cb94c9de16d00ea5af04f fdcfaa03f99233d8aecc17098833d82860d68c12440c5ff7e898b50891cf65bf 045b8b9f7bb69e4450d49eb6197722b9b58a8f0e7af479640ea6f666553db4da 96c8ec9a54b0fef4bca739b47d943c295c766c7759d0f3a5a891585609019f42 1a6964f76f573dd50f41ee8dc4c5b29868807af6326faee92ad9ffaeba3dc5a3 e220a88f3c07a6ece0adcbeca93fd6024d9f63a971c4aa732ec90930e386b5aa 42deb408f0861891e49205fce2496cfe9a6c0cbf86f5d1c48bd88f9120631b1d f19d69486f380f7f22482b17eab7343da36229a4e60b9f3938f7846002ff0fa2 8721dc3617731683a34eb7c8d9a688195d2db1efa8da3084edbe04f76cb0d047 7e8061fab5ad856312040a78674932dcd08b6926a8cc8a5de91252c590b4f6ba 9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0 46d085e7c36ec4ada5f630c47b1ed418ceae077832d6fc2e7730af2715fb954d cc197f92fb6564575d7bd64958bc96be9e0c09d06fa19449a0ad3dc50f09ddb6 4e94d9808d5c3c414100abb60233614fcbad2e884c2fd851cb9d694186165a4f bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520 396b1e21260b374a45ba703239bc29b1345dea89ad9d54db0b7f312aa95c6984 1a1a8f9ccb66f37f14b5cf2a77e9e8d47400bdec957d9f20729e5c81bfc78be6 699d00adf4e8c070d2b955b23054e945c78267beb2ec9cc580130771200e5ea3 fdae7846f75c7b65130e73bafda28f442913e403534cb91657c21c2426869f2f 25f3558a2cdf5aca294254004954bb10d08a0ef0f913f3ddd1f8f3cc71f114dd 12273047ec3eb4e1318c26ec7c10b77e5d631738da126880e248d7f54dfa5718 F7faaadceebe69bec33096166a54ed9b593b1b690ba9594b4c353303f55101aa e6d1df0621b10d051ebba4507ac3d14f4d206ab56bafbc3510db542d4c4470d9 4480d72a324f519d3a630bf2ef7b118f4e388c5bccdd0a5465bafd2253daa619 4509e84a9abcb732f0ee90bf27dd300247b23b6dac9b41cd01f59d6384b5348a 08166a0d2fe65a3ad8b289cb2714c3a150635e29664bff24e5befc6b48526899 ed85c3e25bac63b7e232ac3cfd91116bf7c64f1c4c96b933d5715bbe055ffc89 f0d62aec4a2a5353a6416bbd403969fc0617d08aeb8eb9e09de4d4068a2fd9f3 8cfdcaf4611fd855672ad561de196417deea97341f45efd02e97e26d4674291d e73bbef9c7fcaf610c858be52a375b517bc62fd7e05dd867f928cd353536de16 c192146c8311694342f73a19cfe69ecc53f3f1d6cab006526d2daa5134846357 ab5ee18fd3df5a2d7f2d84c75b33fd2f73b76c8e0d2df278d9ded40943d16911 ef30bd34f8c11e042e2600c62cf702515c94290207cf72fad1ec0d277221bb70 0571c16d0f2d0267b354f81fdbfb49738f3cb867371b9ef0d3ffe1020fb9f9cf bf5e6947f6829d17b8a8e5984366efcf5592d8f6bc7ec6d7e85b1872bebcb24a 549d3aac3b42f702f29ab27c653c0f239a51601a6aeb50564beda614f8f1f33e Tags: botnets, cve RELATED POSTS FortiGuard Labs Threat Research DDOS BOTNETS TARGET ZYXEL VULNERABILITY CVE-2023-28771 FortiGuard Labs Threat Research I’VE GOT TRICKBOT UNDER MY SCREEN FortiGuard Labs Threat Research A WICKED FAMILY OF BOTS * * * * * * NEWS & ARTICLES * News Releases * News Articles SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Ransomware Prevention CONNECT WITH US * Fortinet Community * Partner Portal * Investor Relations * Product Certifications COMPANY * About Us * Exec Mgmt * Careers * Training * Events * Industry Awards * Social Responsibility * CyberGlossary * Sitemap * Blog Sitemap CONTACT US * (866) 868-3678 Copyright © 2024 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings COOKIE PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * ADVERTISING COOKIES YOUR PRIVACY A website may store or retrieve certain information about your browser by using cookies. Cookies store information about how a visitor interacts with a website. The information may be about you, your preferences, your browser, or may be used just to make the website function. We allow certain advertising and analytics partners to collect information from our site through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing” / disclosure for targeted online advertising under certain laws. To opt out of these activities, move the toggles for "Performance" and "Advertising" to the left and press "Confirm My Choices." You can also click on the different category headings if you would like to read more about the cookies that we use, and adjust your preferences. Please note that your choice will apply only to your current browser/device. You can choose not to allow some types of cookies; however, please note that blocking some categories of cookies may impact your experience of the site. You can visit our Privacy Policy for more information. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the basic functionality of the website. The website would not work without these cookies, so they cannot be switched off in our systems. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. PERFORMANCE COOKIES Performance Cookies These cookies help us collect certain data, such as count visits and traffic sources, so that we can measure the performance of our site, improve the content, and build better features that enhance your experience. They help us to know which pages are the most and least popular and see how visitors move around the site. They also allow us to measure the effectiveness of our ads on other sites. FUNCTIONAL COOKIES Functional Cookies These cookies allow our website to remember your preferences and choices made on the website, such as region and language, which help us provide enhanced functionality and personalization. These cookies may be set by us or by third party providers whose services we have added to our pages. If you disable these cookies, then some or all of these features may not function properly. ADVERTISING COOKIES Advertising Cookies These cookies may be set through our website by our advertising partners, and use information uniquely identifying your browser and internet device to build a profile of your interests and show you relevant ads on other websites. If you disable these cookies, you will experience less targeted advertising. BACK BUTTON BACK Vendor Search Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All COOKIE SETTINGS By clicking "Accept All", you are consenting to the use of cookies on your device to enhance site functionality, analyze site usage, and assist in our marketing efforts. This includes the use of cookies and similar technologies to show you personalized advertising on other websites through our partners. To accept only necessary cookies, select “Reject All.” You can visit the Cookie Settings link, which contains details on specific cookies, categories, and preference options. Your choice will apply only to your current browser/device. Please also see our Privacy Policy for more information on how we process personal data.privacy policy Reject All Accept All Cookie Settings