New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers

Condi is the second DDoS botnet to exploit CVE-2023-1389, with the Mirai botnet targeting it in April 2023.

FortiGuard Labs researchers have discovered new samples of a DDoS-as-a-service botnet called Condi and shared its capabilities in their latest report published on June 20, 2023. Fortinet researchers wrote that since May 2023, their monitoring systems have collected many Condi samples, indicating that botnet operators are trying to expand their reach.

How is Condi Distributed?

According to their research, Condi is distributed by exploiting TP-Link Archer AX21 (AX1800) Wi-Fi 6 routers that are vulnerable to CVE-2023-1389, which was discovered by ZDI. This is the second DDoS botnet to exploit this flaw, with the Mirai botnet having targeted it in April 2023. The AX1800 is a Linux-based dual-band router that features 1.8 GBPS bandwidth.

Unlike other botnets that are distributed via brute-force attacks, Condi features a module for checking vulnerable AX21 routers. If it finds one, it executes a shell script obtained from a remote server to deliver the malware. It specifically searches for routers that are vulnerable to CVE-2023-1389.

Condi Capabilities

Condi is a smart botnet that kills all the processes of its competitor botnets.

/bin/busybox

/bin/systemd

/usr/bin

test

/tmp/condi

/tmp/zxcr9999

/tmp/condinetwork

/var/condibot

/var/zxcr9999

/var/CondiBot

/var/condinet

/bin/watchdog

Furthermore, Condi prevents its older versions from carrying out any activities. However, this implementation is flawed because the Name field only contains the executable names of the processes instead of their full paths.

Additionally, Condi terminates all processes with binary filenames that contain extensions commonly used by other botnets, including:

x86

x86_64

arm

arm5

arm6

arm7

mips

mipsel

sh4

PPC

However, it lacks persistence and cannot survive if the system is rebooted. To address this issue, the malware deletes several binaries used for rebooting or shutting down the device. These binaries include:

/usr/sbin/reboot

/usr/bin/reboot

/usr/sbin/shutdown

/usr/bin/shutdown

/usr/sbin/poweroff

/usr/bin/poweroff

/usr/sbin/halt

/usr/bin/halt

Condi has demonstrated aggressive monetization techniques and is capable of trapping devices to create a powerful DDoS botnet, which cybercriminals can rent to launch TCP and UDP flood attacks on websites.

Vulnerability Details

For your information, CVE-2023-1389 (CVSS score of 8.8) is a high-severity unauthenticated command injection and remote code execution vulnerability that was discovered in the router’s web management interface API in mid-March of last year. ZDI reported this flaw to the vendor in January 2023, after which TP-Link released a security update in March 2023, in version 1.1.4 Build 20230219.

Who is Operating Condi?

According to security researchers Joie Salvio and Roy Tay from FortiGuard Labs, this botnet is operated by a threat actor who goes by the alias zxcr9999 on Telegram. The actor has a Telegram channel called Condi Network, which was started in May 2022 primarily to promote their service and even sell malware source code.

On the left, the threat actor is listing the features of the Condi botnet. On the right is the Condi DDoS botnet’s store. (Screenshots provided by FortiGuard Labs.)

“The threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,” researchers wrote in a blog post.

Researchers identified numerous Condi samples that exploit other known security flaws, putting unpatched software at a higher risk of exploitation by botnet malware. Therefore, updating your software after a patch is released is essential.

1. Verizon FiOS Router and Security Issues
2. How To Keep Your Router And WiFi Safe From Hackers
3. Mirai botnet resurfaces with MooBot, hits D-Link devices
4. NETGEAR Router Flaw Allowed Access to Restricted Services
5. Hackers exploit routers to drop malicious “WHO” COVID-19 app