Keypoints
- Attack vector: an unauthenticated command injection in the TP-Link Archer AX21 locale API (CVE-2023-1389) allows remote command execution via the set_country pathway.
- Common infection chain: post-exploit download of a small shell script (examples: exec.sh, bins.sh, 1.sh, tenda.sh) that pulls ELF binaries for multiple CPU architectures, executes the matching binary, and removes traces.
- Multiple bot families observed exploiting the flaw: AGoent (Golang agent), Gafgyt variant, Moobot, Mirai variants (including Miori), Condi — each with distinct C2s, keys, or behaviors but similar delivery mechanics.
- Post-infection behaviors include creating local user accounts with random credentials (AGoent), exfiltrating those credentials to C2, and beaconing/persistent C2 communication to receive DDoS commands.
- Bot-specific capabilities: Gafgyt implements a command set for UDP/TCP/VSE/XMAS floods; Moobot uses XOR-encoded strings and can launch DDoS; Mirai variants disable analysis tools and use UPX-packed ELF payloads.
- Observed IOCs include multiple C2 domains/IPs (e.g., fjsnsinfinsf.ngcv.top, 45.155.91.135), downloader URLs (e.g., hxxp://91[.]92[.]253[.]70), script/executable filenames, and many ELF file hashes.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access via an unauthenticated command injection in the router web API (‘…unauthenticated command injection vulnerability in the “locale” API available via the web management interface…’ )
- [T1059] Command and Scripting Interpreter – Downloader scripts (exec.sh, bins.sh, 1.sh, tenda.sh) are fetched and executed to retrieve and run ELF payloads (‘AGoent first fetches the script file ”exec.sh“ from ”hxxp://5[.]10[.]249[.]153,” which retrieves the ELF files…’)
- [T1105] Ingress Tool Transfer – ELF binaries for multiple architectures are transferred over HTTP/TFTP and executed on the device (‘retrieves the ELF files of different Linux-based architectures’ and ‘downloader employs both HTTP and TFTP protocols’)
- [T1070.004] Indicator Removal on Host: File Deletion – Installers remove downloaded files and erase traces after execution (‘the script will attempt to execute each file to find the appropriate architecture and remove each file to erase intrusion traces’)
- [T1136] Create Account – Malware creates local host usernames and passwords using random characters to enable persistence or access (‘create the host username and password using random characters’)
- [T1041] Exfiltration Over C2 Channel – Credentials generated on the device are sent to the command-and-control server (‘establishes a connection with the C&C … and passes on the credentials just created by the malware’)
- [T1071] Application Layer Protocol – C2 communication and beaconing use HTTP/TCP (and TFTP for transfer), including periodic keepalive/PING messages (‘the malware receives a continuous “PING” command from the server to ensure persistence’)
- [T1562.001] Impair Defenses: Disable or Modify Tools – Malware scans for and terminates processes related to packet analysis and defensive tooling to hinder detection (‘monitors processes to terminate those associated with packet analysis tools’)
- [T1498] Network Denial of Service – Compromised devices are instructed to perform volumetric and protocol-based flooding (UDP, TCP, VSE, XMAS) under C2 commands (‘”UDP” stands for “UDP Flooding Attack”; “TCP” stands for “TCP Flooding Attack”‘)
Indicators of Compromise
- [C2] Command-and-control servers observed – fjsnsinfinsf[.]ngcv[.]top, rooty[.]cc, and 4 more items (e.g., 45[.]155[.]91[.]135, bn[.]networkbn[.]click)
- [URLs] Downloader and hosting URLs used to fetch scripts/ELFs – hxxp://91[.]92[.]253[.]70, hxxp://5[.]10[.]249[.]153, and other URLs (e.g., hxxp://94[.]156[.]8[.]244, hxxp://195[.]62[.]32[.]227)
- [File names] Script and binary names observed in infection chains – exec.sh, bins.sh, 1.sh, tenda.sh, rebirth.x86 (used to select architecture-specific payloads)
- [File hashes] ELF/sample hashes collected – 6104674bfa58ac11c697062d6068c568384f13037d1a146dbe25cd001104ca8b, f33a02781d60ca36f4ee56579c6d33846c2549ad7556bca499c73302cee17514, and dozens more hashes
Technical procedure (concise): The root cause is an unauthenticated command-injection in the Archer AX21 web interface’s locale/set_country handling, where the supplied country parameter is concatenated into a command and executed via popen. Attackers POST a crafted country value to trigger remote command execution, then use that execution context to run a small downloader script hosted on remote HTTP/TFTP servers.
Once the downloader runs (common names: exec.sh, bins.sh, 1.sh, tenda.sh, shk, jack5tr.sh), it fetches ELF binaries for multiple architectures, executes each until the matching architecture is found, then self-deletes to reduce forensic traces. Typical post-execution behaviors include creating local accounts with random credentials (AGoent), exfiltrating those credentials to C2, and persistent beaconing to C2 domains (examples: fjsnsinfinsf.ngcv.top, rooty.cc, fjsnsinfinsf[.]ngcv[.]top) to await commands.
Different bot families implement specialized modules after staging: Gafgyt variants concatenate target IP/architecture into the initial C2 message and accept commands for UDP/TCP/VSE/XMAS floods; Moobot uses an XOR key (0xDEADBEEF) and hardcoded strings to decode config and execute DDoS routines; Mirai/Miori variants download UPX-packed ELFs, kill packet-analysis tools, and use XOR keys/hardcoded credential lists for brute-forcing; Condi uses multiple protocols to download payloads and removes reboot-related binaries to prevent device reboots. Defenders should block known download URLs/C2 domains, apply the CVE-2023-1389 patch, and detect the described indicators (script names, C2 domains, and the provided hashes).