Mirai botnet resurfaces with MooBot variant to target D-Link devices

Palo Alto Networks’ Unit 42 researchers have reported the emergence of a new Mirai botnet variant dubbed MooBot. This variant is looking for unpatched D-Link devices to create its army of DDoS (distributed denial of service) bots. For compromising vulnerable D-Link routers, MooBot uses multiple exploits

Re-Emergence of Notorious MooBot

The MooBot botnet was first discovered by Qihoo 360’s Netlab in Sep 2019, whereas the most recent wave of attacks involving MooBot, before the one detected by Palo Alto, was discovered by Fortinet analysts in Dec 2021. Researchers identified that MooBot targeted a flaw in Hikvision cameras and enlisted a large number of devices into its DDoS army.

In early August, Unit 42 researchers discovered a new attack wave. This time, MooBot’s targets were unpatched D-Link routers, which it compromised using old and new exploits.

Exploited Vulnerabilities

The botnet is exploiting four different vulnerabilities in D-Link devices, including the following:

• CVE-2022-26258 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
• CVE-2022-28958 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
• CVE-2015-2051 (CVSS score: 10.0) – D-Link HNAP SOAPAction Header Command Execution Vulnerability
• CVE-2018-6530 (CVSS score: 9.8) – D-Link SOAP Interface Remote Code Execution Vulnerability

Source: Palo Alto Networks

Previously it targeted LILIN digital video recorders apart from Hikvision video surveillance devices.

What Happens If Devices are Compromised?

According to Unit 42 researchers, an attacker can gain full control of the compromised devices. They can use them to perform various attacks, including remote code execution and retrieving MooBot payload from a remote host to parse instructions from a C2 server and launch DDoS attacks. It can also target specific port numbers and IP addresses for DDoS.

Campaign overview (Palo Alto Networks)

D-Link has released security updates to address the flaws. However, there are still countless unpatched devices. Many are yet to be patched for the last two vulnerabilities (CVE-2022-26258, CVE-2022-28958) discovered in March and May 2022.

The low-attack complexity of the vulnerabilities lets the attacker gain remote code execution, and using arbitrary commands they can easily get malware binary. It is worth noting that the C2 address used in the current attack wave is different from the wave identified by Fortinet.

It is necessary to apply patches as soon as possible and keep your device updated to prevent the MooBot threat.

1. Hackers behind Mirai botnet & DYN DDoS attacks plead guilty
2. Reaper malware outshines Mirai; hits millions of IoT devices worldwide
3. Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai
4. Persirai malware in action: IP cameras all across the world compromised
5. Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining