HQ/EMEAFind out how we can help your business
D-Link routers that have already reached their end-of-life status are the subject of the ongoing Ficora and Capsaicin malware botnet operations.
The confirmed list of targeted D-Link devices individuals and organisations use are DIR-645, DIR-806, GO-RT-AC750, and DIR-845L. Moreover, the operators of both malware strains exploit the same set of vulnerabilities for initial access.
Reports revealed that once the campaign compromises a flawed device, the attackers can leverage D-Link’s management interface (HNAP) bug and execute malicious commands through a GetDeviceSettings action.
In addition, botnets can steal data and execute shell scripts, and their operators appear to compromise devices for distributed denial-of-service (DDoS) purposes.
Ficora and Capsaicin have distinct tactics for exploiting D-Link routers.
The Ficora malware is the latest Mirai variant adapted specifically to exploit known flaws in D-Link routers. However, the researchers noticed that the botnet has a random targeting system, with two notable surges in its activity during October and November last year.
After gaining initial access on D-Link devices, this botnet uses a shell script named ‘multi’ to download and run its payload through multiple methods. Subsequently, it includes a built-in brute force component with hard-coded credentials to infect additional Linux-based devices and supports various hardware architectures.
For its DDoS capabilities, it supports UDP flooding, TCP flooding, and DNS amplification to maximise the power of its attacks.
On the other hand, Capsaicin is a Kaiten botnet variant suspected of malware developed by the Keksec group. The researchers only observed it in a wave of cyberattacks targeting East Asian countries between October last year and now.
The infection process for this botnet starts through a downloader script, which retrieves binaries with the prefix ‘yakuza’ for different infrastructures, like arm, mips, sparc, and x86. The malware also actively scans for other active botnet payloads on the same host and deactivates them.
Besides its DDoS capabilities like Ficora’s, Capsaicin can harvest information from a targeted host and exfiltrate it to an attacker-controlled C2 server for tracking.
One way to mitigate or prevent the effects of botnet malware infections on routers and IoT devices is to ensure they adopt the latest firmware version. However, if the device has reached EoL and can no longer employ security updates, it should be replaced with a new one to avoid unwanted exploits.
