HQ/EMEAFind out how we can help your business
Numerous cybercriminal groups have been targeting the Cacti and Realtek critical vulnerabilities on exploitable Windows and Linux services since the start of 2023. In several malicious operations, the threat actors compromised victims with ShellBot and Moobot botnet malware.
The similar attack strategies in the two incidents revealed a single group of attackers behind both campaigns.
The threat actors used ShellBot and Moobot malware strains to exploit the Cacti vulnerabilities and infect targets.
According to investigations, the threat actors have primarily targeted the Cacti vulnerabilities to launch three variants of ShellBot. These variants are LiGhT’s Modded perlbot v2, B0tchZ 0.2a, and PowerBots (C) GohacK.
The first malware variant establishes communication with the command-and-control servers and waits for additional commands from its operators to run infectious activities.
The second variant contains a more extensive command set and numerous flooding attacks. Moreover, the variant has an exploit enhancement tool and hacking features. The variant became active last month and has already victimised hundreds of targets.
On the other hand, the third variant only contains a configuration with several prompts to run cybercriminal activities and target exposed Cacti servers.
Moobot is a variant of the Mirai botnet that could target an arbitrary command injection vulnerability in Realtek Jungle SDK and a command injection vulnerability in Cacti.
Attackers obtain control of the vulnerable systems to download a script containing malware configuration and establish a connection with the C2 server. Moobot will then continue to communicate with the command-and-control server through heartbeat messages that could eventually lead to the attack initiation.
The current Moobot version reviews other bots and removes their processes to collect the hardware power of the infected host to deploy DDoS attacks.
Several other threat groups have exploited the same flaws to launch malware botnets besides Moobot and ShellBot. Threat actors have freely targeted different organisations as most continue utilising exposed devices.
Cybersecurity experts advise everyone to update their Cacti and Realtek systems to the latest versions.
