Link maker

MooBot Botnet attacks D-Link routers

Experts have discovered that the MooBot botnet, based on the Mirai IoT malware, attacks vulnerable D-Link routers using a combination of old and new exploits against them.

Let me remind you that we also talked about ZuoRAT Trojan horse hacks Asus, Cisco, DrayTek and NETGEAR routers, and also that information security specialists disclosed details of five vulnerabilities in D-Link routers.

Information security specialists have not written about MooBot activity for a long time: the last study dated from last December, when MooBot took advantage of the CVE-2021-36260 vulnerability in Hikvision cameras, infecting those devices and using them to DDoS attacks.

It turned out that MooBot recently changed its “area of ​​business”, which is usually typical of botnets that are constantly looking for new pools of vulnerable devices that they can support. Thus, according to a recent report by Palo Alto Networkmalware currently targets the following critical vulnerabilities in D-Link devices:

  1. CVE-2015-2051: Problem executing D-Link HNAP SOAPAction command.
  2. CVE-2018-6530: RCE in D-Link SOAP interface;
  3. CVE-2022-26258: execution of remote commands on D-Link devices;
  4. CVE-2022-28958: Executing remote commands on D-Link devices.

It should be noted that the manufacturer released patches to address these issues a long time ago, since two vulnerabilities were generally subsidized in 2015 and 2018. However, not all users have applied these patches yet, especially the last two , which were released in March. and May of this year.

Malware operators exploit vulnerabilities to remotely execute code on vulnerable devices and launch a malicious binary using arbitrary commands.

MooBot attacks D-Link routers

The captured routers are then used to conduct DDoS attacks against various targets, depending on what the MooBot operators want to achieve. Typically, attackers rent out the power of their botnet to other criminals, so a variety of sites and services suffer from MooBot attacks.

Interestingly, the C&C addresses provided in the Palo Alto network report are different from those of the Fortinet Report from December, indicating an update to the hacker infrastructure.

Experts write that users of compromised D-Link devices may notice a drop in Internet speed, hangs, overheating of the router or changes in the DNS configuration. The best way to protect against MooBot is to apply all available firmware updates.