Analysis Summary

Researchers are alerting users to an increase in malicious behavior that involves enlisting susceptible D-Link routers in two distinct botnets: CAPSAICIN, a Kaiten (also known as Tsunami) variation, and FICORA, a Mirai variant. Known D-Link flaws that enable remote attackers to carry out malicious commands via a GetDeviceSettings operation on the HNAP (Home Network Administration Protocol) interface are commonly used to propagate these botnets.

The researchers said, “This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.”

Attacks using FICORA have targeted countries all across the world, while those using CAPSAICIN have mostly targeted East Asian countries such as Japan and Taiwan. Additionally, it is claimed that the intense activity of CAPSAICIN was only present from October 21 to October 22, 2024. A downloader shell script ("multi") is deployed from a remote server ("103.149.87[.]69") as a result of FICORA botnet attacks. It then uses the wget, ftpget, curl, and tftp commands to download the main payload for each Linux architecture in turn.

A brute-force attack feature with a hard-coded list of users and passwords is included in the botnet malware. Additionally, the Mirai derivative can launch distributed denial-of-service (DDoS) attacks through the use of DNS, TCP, and UDP protocols. To ensure maximum compatibility, the CAPSAICIN downloader script ("bins.sh") uses a different IP address ("87.10.220[.]221") and employs the same method to retrieve the botnet for different Linux architectures. To make sure it is the only botnet running on the victim's computer, the malware eliminates known botnet processes.

'CAPSAICIN' creates a socket connection with its C2 server, '192.110.247[.]46,' and transmits the malware's nickname and the operating system details of the target host back to the C2 server. After that, CAPSAICIN watches for other commands to be run on the compromised devices, such as "PRIVMSG," which can be used to carry out several harmful tasks. Even though the flaws used in this attack were discovered and fixed about ten years ago, these attacks have continued to occur all around the world. Every business must keep thorough monitoring and update the kernel of its devices regularly.

Impact

• Command Execution
• Denial of Service
• Information Theft

Indicators of Compromise

Domain Name

• ru.coziest.lol
• f.codingdrunk.cc
• pirati.abuser.eu

IP

• 103.149.87.69
• 87.10.220.221
• 45.86.86.60
• 194.110.247.46

MD5

• cb9f5c8892bffc28f6c12f11d60f5c92
• d38e8407bbc72cbd2057efdd3d8b7a05
• 42d36ae2eaf7090322d2638f5fb36a82
• c32d2eeefe154695a7a71f1562cc16a2
• 0f29b7fa7dd66707be2dfcc16c84263f
• fae498f37a29257beb94d55497c19e80
• 61e7d18a4efdd3273fe436a0d66da732
• b09601461725ffb5ed51390172eb4b53

SHA-256

• f71dc58cc969e79cb0fdfe5163fbb9ed4fee5e13cc9407a11d231601ee4c6e23
• ea83411bd7b6e5a7364f7b8b9018f0f17f7084aeb58a47736dd80c99cfeac7f1
• 48a04c7c33a787ef72f1a61aec9fad87d6bd9c49542f52af7e029ac83475f45d
• 18c92006951f93a77df14eca6430f32389080838d97c9e47364bf82f6c21a907
• 9b161a32d89f9b19d40cd4c21d436c1daf208b5d159ffe1df7ad5fd1a57610e5
• ec508df7cb142a639b0c33f710d5e49c29a5a578521b6306bee28012aadde4a8
• 8349ba17f028b6a17aaa09cd17f1107409611a0734e06e6047ccc33e8ff669b0
• 1ca1d5a53c4379c3015c74af2b18c1d9285ac1a48d515f9b7827e4f900a61bde

SHA1

• 1d6547bdc771958738e13f3288606184c94ee700
• 89e1ebb28cea58b8f9eb728383f8cb565d58518e
• cf88f0f596ad5357c5643cf7c5680ac8ec64d9cd
• 8730a44aa8527b9d27339b4e0366bcabca2c9cce
• 6d91d09eee5df1a4f2ee44a6d080f73daa437110
• 0437702a162d05a220eb12b3f928e6b19156ffae
• 7ddba93d88aa948c675a1cfa48ddd23ca651f80d
• 7611af4df21d38d4aee5c5f2379a5ccf3adf3768

URL

• http://103.149.87.69/multi
• http://103.149.87.69/la.bot.arc
• http://103.149.87.69/la.bot.arm
• http://103.149.87.69/la.bot.arm5
• http://103.149.87.69/la.bot.arm6
• http://103.149.87.69/la.bot.arm7
• http://103.149.87.69/la.bot.m68k
• http://103.149.87.69/la.bot.mips
• http://103.149.87.69/la.bot.mipsel
• http://103.149.87.69/la.bot.powerpc
• http://103.149.87.69/la.bot.sh4
• http://103.149.87.69/la.bot.sparc
• http://pirati.abuser.eu/yakuza.yak.sh
• http://pirati.abuser.eu/yakuza.x86
• http://87.10.220.221/bins.sh
• http://87.10.220.221/yakuza.x86

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly update firmware on all network devices, especially those identified as vulnerable.
• Implement strict access controls to limit the exposure of network device interfaces on the internet.
• Use advanced DDoS mitigation services and solutions that can handle high packet and bit rate attacks.
• Conduct frequent security audits and vulnerability assessments on network infrastructure.
• Employ network segmentation to isolate critical infrastructure and reduce the attack surface.
• Increase monitoring and detection capabilities to quickly identify and respond to unusual traffic patterns.
• Collaborate with device manufacturers to address and patch security vulnerabilities promptly.
• Educate and inform users and administrators about the importance of timely updates and secure configurations.
• Implement robust firewall and intrusion prevention systems to filter malicious traffic.
• Develop and maintain an incident response plan to handle DDoS attacks effectively and minimize downtime.