A Mirai-based botnet known as ‘Moobot’ is increasing by exploiting a severe command injection vulnerability in several Hikvision devices’ webserver. Hikvision is a Chinese state-owned surveillance camera and equipment firm that the US government has sanctioned owing to human rights violations.
The CVE-2021-36260 vulnerability can be exploited remotely by delivering specially crafted messages containing harmful instructions. Hikvision patched the problem with a firmware update (v 210628) in September 2021, although not all users were quick to upgrade. According to Fortinet, Moobot uses this issue to infect unpatched devices and steal sensitive data from victims.
Because the weakness does not need authentication and may be triggered by sending a message to a publicly disclosed susceptible device, exploiting it is pretty straightforward. Fortinet discovered a downloader masquerading as “macHelper” that collects and runs Moobot with the “hikivision” option among the many payloads that use CVE-2021-36260. Basic instructions like “reboot” are also tampered with by the virus, making them unusable and preventing the administrator from resetting the infected system.
According to Fortinet’s analysts, the data string employed in the random alphanumeric string generator function is a common point between Moobot and Mirai. Moobot also contains parts from Satori, a Mirai version whose creator was apprehended and punished in the summer of 2020.
“Based on our analysis, the malware (SHA256: 38414BB5850A7076F4B33BF81BAC9DB0376A4DF188355FAC39D80193D7C7F557) downloaded in the previous stage is Moobot, which is Mirai-based. Its most obvious feature is that it contains the data string “w5q6he3dbrsgmclkiu4to18npavj702f”, which is used in the “rand_alphastr” function. It is used to create random alphanumeric strings with different purposes, such as for a setup process name or to generate data for attacking,” Fortinet wrote.
Similarities with Satori include:
- Using a separate downloader
- The forking of the “/usr/sbin*” process
- Overwriting the legitimate “macHelper” file with the Moobot executable
It’s vital to note that this isn’t the first time Moobot has been detected in the wild; Unit 42 researchers initially discovered it in February 2021. The botnet’s continued addition of new CVEs, on the other hand, implies that it is still being actively expanded and enhanced with additional targeting possibilities.