A new malware called condi A security vulnerability in the TP-Link Archer AX21 (AX1800) Wi-Fi router has been observed to be exploited to join the device into a distributed denial of service (DDoS) botnet.
The campaign is in full swing from the end of May 2023, according to Fortinet FortiGuard Labs. Condi is the work of a threat actor who goes by his alias zxcr9999 online on Telegram and operates his Telegram channel called Condi Network to promote his warez.
Security researchers Joie Salvio and Roy Tay said, “The Telegram channel will launch in May 2022, with attackers offering DDoS as a service and monetizing the botnet by selling malware source code. there are,” he said.
Analysis of the malware artifact revealed its ability to terminate other competing botnets on the same host. However, it lacks a persistence mechanism, so the program cannot survive a system reboot.
To circumvent this limitation, the malware removes multiple binaries used to shutdown or reboot the system.
- /usr/sbin/restart
- /usr/bin/restart
- /usr/sbin/shutdown
- /usr/bin/shutdown
- /usr/sbin/poweroff
- /usr/bin/poweroff
- /usr/sbin/stop
- /usr/bin/stop
Unlike some botnets that propagate through brute force attacks, Condi utilizes a scanner module that checks for vulnerable TP-Link Archer AX21 devices and, if there are any vulnerable devices, shell scripts retrieved from remote servers. to deposit the malware.
Specifically, the scanner identifies routers susceptible to CVE-2023-1389 (CVSS score: 8.8), a command injection bug previously exploited by the Mirai botnet.
Fortinet says it has found other Condi samples that exploit several known security flaws to propagate, suggesting unpatched software is at risk of being targeted by botnet malware said it does.
Aggressive monetization strategies aside, Condi aims to trap devices to create powerful DDoS botnets that can be rented by other attackers to coordinate TCP and UDP flood attacks against websites and services. .
“Malware campaigns, especially botnets, are always looking for ways to spread,” the researchers said. “Exploiting recently discovered (or publicly disclosed) vulnerabilities has always been one of their favorite techniques.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
This development was initiated by the AhnLab Security Emergency Response Center (ASEC), a poorly managed Linux operating system for delivering DDoS bots such as ShellBot and Tsunami (aka Kaiten), as well as covertly exploiting resources for cryptocurrency mining. This was done in response to the reveal that the server was compromised.
“Tsunami’s source code is publicly available and therefore used by a large number of threat actors,” ASEC said. “Among various uses, it is primarily used for attacks against his IoT devices. Of course, it is also consistently used to target Linux servers.”
In this attack chain, a malicious shell script that can compromise servers using dictionary attacks, download the next stage of malware, and maintain persistent backdoor access by adding public keys to the .ssh/authorized_keys file. Run
The Tsunami botnet malware used in the attack is a new variant called Ziggy that has significant overlap with the original source code. Additionally, it employs Internet Relay Chat (IRC) for command and control (C2).
Intrusions also use a series of auxiliary tools that escalate privileges and modify or clear log files to obscure the trail and hinder analysis.
“Administrators should use hard-to-guess passwords for accounts, change them regularly to protect Linux servers from brute force and dictionary attacks, and update to the latest patches to prevent vulnerability attacks,” ASEC said. ”.
