Threat Research

Condi DDoS Botnet Spreads via TP-Link’s CVE-2023-1389 | FortiGuard Labs

Securonix

FortiGuard Labs analyzed Condi, a DDoS-as-a-service botnet that spreads by exploiting CVE-2023-1389 on TP-Link Archer AX21 routers and has been expanding since May 2023. The post details Condi’s propagation, C2 protocol, attack methods, and the threat actor’s monetization through a Telegram channel and malware source sales. Hashtags: #Condi #CVE-2023-1389 #TPLinkArcherAX21 #Mirai #CondiNetwork #Telegram

Keypoints

  • Condi is a Mirai-based DDoS botnet that spreads by exploiting CVE-2023-1389 in TP-Link Archer AX21 routers.
  • The threat actor monetizes Condi via DDoS-as-a-service and by selling malware source code on Telegram (Condi Network).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The malware spreads by exploiting TP-Link Archer AX21 routers vulnerable to CVE-2023-1389. Quote: ‘spreading by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389’
  • [T1046] Network Service Scanning – It embeds a scanner to identify public IPs with open ports 80 or 8080. Quote: ‘scans for any public IPs with open ports 80 or 8080 (commonly used for HTTP servers)’
  • [T1105] Ingress Tool Transfer – It downloads and executes a remote shell script from a hardcoded URL to install Condi. Quote: ‘to download and execute a remote shell script at hxxp://cdn2[.]duc3k[.]com/t’
  • [T1562.001] Impair Defenses – It attempts to terminate other botnets/older Condi versions by killing processes and related binaries. Quote: ‘kill off older versions of Condi… It also kills any processes with binary filenames containing the following extensions …’
  • [T1071.001] Web Protocols (C2 over Web Protocols) – The C2 protocol is a modified Mirai-like binary protocol used to communicate with the C2; the bot can start a webserver to serve binaries and issue commands. Quote: ‘The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.’

Indicators of Compromise

  • [Files] Sample file hashes observed for Condi payloads – 091d1aca4fcd399102610265a57f5a6016f06b1947f86382a2bf2a668912554f, 291e6383284d38f958fb90d56780536b03bcc321f1177713d3834495f64a3144, and 9 more hashes
  • [Download URLs] Addresses used to fetch malware components – hxxp://85[.]217[.]144[.]35/arm, hxxp://85[.]217[.]144[.]35/arm7, and 6 more URLs
  • [C2] Command and control endpoints – 85[.]217[.]144[.]35, cdn2[.]duc3k[.]com
  • [Domains] Known domains used in the campaign – admin.duc3k[.]com, and cdn2.duc3k[.]com

Read more: https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint