The Mirai malware botnet variant known as ‘MooBot’ has re-emerged in a new attack wave that started early last month, targeting vulnerable D-Link routers with a mix of old and new exploits. MooBot was discovered by analysts at Fortinet in December 2021, targeting a flaw in Hikvision cameras to spread quickly and enlist many devices into its DDoS (distributed denial of service) army. Today, the malware has refreshed its targeting scope, which is typical for botnets looking for untapped pools of vulnerable devices they can ensnare. According to a report compiled by Palo Alto Network’s Unit 42 researchers, MooBot is now targeting the following critical vulnerabilities in D-Link devices:
- CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
- CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
- CVE-2022-26258: D-Link Remote Command Execution Vulnerability
- CVE-2022-28958: D-Link Remote Command Execution Vulnerability
The vendor has released security updates to address these flaws, but not all users have applied the patches yet, especially the last two, which became known in March and May this year. MooBot’s operators leverage the low-attack complexity of the flaws to gain remote code execution on the targets and fetch the malware binary using arbitrary commands. After the malware decodes the hardcoded address from the configuration, the newly captured routers are registered on the threat actor’s C2. Eventually, the captured routers participate in directed DDoS attacks against various targets; typically, the threat actors sell DDoS services to anyone interested in causing downtimes or disruption to sites and online services.