Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread | FortiGuard Labs

Affected Platforms: TP-Link Archer AX21 (AX1800) Version 1.1.4 Build 20230219 or prior
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High

Last year, a command injection vulnerability, CVE-2023-1389, was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). FortiGuard Labs has developed an IPS signature to tackle this issue. Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miroi, the Golang-based agent “AGoent,” and the Gafgyt Variant. Peaks caused by these threats are evident in the following figure. This article will explore their infection traffic patterns and offer insights into these botnets.

telemetry

Figure 1: IPS telemetry


Figure 1: IPS telemetry

Infection – CVE-2023-1389

This is an unauthenticated command injection vulnerability in the “locale” API available via the web management interface. Users query the specified form “country” and conduct a “write” operation, which is handled by the “set_country” function. It calls the “merge_config_by_country” function and concatenates the argument of the specified form “country” into a command string, which is executed by the “popen” function. Since the “country” field won’t be emptied, the attacker can achieve command injection.

Figure 2: Vulnerability Proof-Of-Concept


Figure 2: Vulnerability Proof-Of-Concept

AGoent

AGoent is a Golang-based agent bot. It first fetches the script file ”exec.sh“ from ”hxxp://5[.]10[.]249[.]153,” which retrieves the ELF files of different Linux-based architectures.

Figure 3: Exploit packet


Figure 3: Exploit packet

Figure 4: The script file “exec.sh”


Figure 4: The script file “exec.sh”

After downloading the ELF files, the script will attempt to execute each file to find the appropriate architecture and remove each file to erase intrusion traces. The following analysis will focus on the executed file designed for the”386” architecture.

There are two primary behaviors. The first is to create the host username and password using random characters.

Figure 5: Assembly Code for User Creation


Figure 5: Assembly Code for User Creation

After user creation, the malware establishes a connection with the C&C (command and control) server and passes on the credentials just created by the malware.

Figure 6: Malware Execution


Figure 6: Malware Execution

Figure 7: Established C2 session packet


Figure 7: Established C2 session packet

Figure 8: Established C2 session packet with the credential


Figure 8: Established C2 session packet with the credential

Gafgyt Variant

Gafgyt, also known as BASHLITE, is malware that infects Linux architecture operating systems to launch a DDoS (distributed denial of service) attack. In this variant, the bot downloads the script file “bins.sh” from “hxxp://195[.]62[.]32[.]227” and then executes the script. Gafgyt retrieves Linux architecture execution files with the prefix filename “rebirth.”

Figure 9: Exploit packet


Figure 9: Exploit packet

Figure 10: The script file “bins.sh”


Figure 10: The script file “bins.sh”

We will next focus on “rebirth.x86.” Gafgyt gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message.

Figure 11: Initial connection message concatenation


Figure 11: Initial connection message concatenation

After establishing a connection with its C&C server, the malware receives a continuous “PING” command from the server to ensure persistence on the compromised target.

Figure 12: C2 server connection


Figure 12: C2 server connection

The malware waits for any of the following commands from its C&C server. Each of them stands for a specified attack or function:

  • ”UDP“ stands for ”UDP Flooding Attack”
  • ”XMAS“ stands for ”XMAS Attack”
  • ”VSE“ stands for ”VSE Attack”
  • ”TCP” stands for ”TCP Flooding Attack”
  • ”HEX” stands for ”defining specified string within attack packets”
  • ”STOP” stands for ”stopping attack”

Figure 13: Hand-coded commands


Figure 13: Hand-coded commands

Moobot

Moobot fetches a script file from “hxxp://91[.]92[.]253[.]70.” The primary role of “1.sh” is to retrieve an ELF file with different architectures for further infection.

Figure 14: Exploit packet


Figure 14: Exploit packet

Figure 15: The script file “1.sh”


Figure 15: The script file “1.sh”

The following analysis looks at the execution file designed for the “x86_64” architecture. Once executed, it removes itself and erases all traces from the compromised device. It then displays “0x00000e9” in the console and starts contacting the C2 server “fjsnsinfinsf[.]ngcv[.]top”

Figure 16: Moobot's C2 session


Figure 16: Moobot’s C2 session

Based on the XOR key “0xDEADBEEF” used for encoded strings and the hardcoded string “w5q6he3dbrsgmclkiu4to18npavj702f,” we can confirm this malware as Moobot. As the assembly indicates, a DDoS attack can be initiated on remote IPs via a C2 command.

Figure 17: Assembly code for DDoS method


Figure 17: Assembly code for DDoS method

Mirai Variant

Additionally, there is an attack using a variant of Mirai. The exploitation process begins by downloading “tenda.sh” from “hxxp://94[.]156[.]8[.]244.” This script file then downloads an ELF execution file from the same IP address, available in 13 different architectures.

Figure 18: Exploit packet


Figure 18: Exploit packet

Figure 19: The script file "tenda.sh"


Figure 19: The script file “tenda.sh”

The original execution file is compressed using UPX.

Figure 20: UPX packed


Figure 20: UPX packed

This Mirai variant displays the message, “faggot got malware’d,” and monitors processes to terminate those associated with packet analysis tools. It then sends packets to the C2 server “45[.]155[.]91[.]135:21425” and awaits additional instructions for attacking.

Figure 21: Packet analysis tool list


Figure 21: Packet analysis tool list

Below is an illustration of a DDoS attack scenario: The command and control (C2) server sends a packet with a length of 0x15, directing the endpoint to initiate an attack. The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victim’s IP address and the port number 30129.

Figure 22: C2 command packets


Figure 22: C2 command packets

Miori

Miori, another Mirai variant, shares similar modules. The batch script is fetched from “hxxp://185[.]224[.]128[.]34.” The downloader employs both HTTP and TFTP protocols to retrieve the ELF files.

Figure 23: Exploit packet


Figure 23: Exploit packet

Figure 24: The script file "shk"


Figure 24: The script file “shk”

Once executed, Miori displays “your device just got infected to a bootnoot” in the console and sends x00x00 to the C2 server “rooty[.]cc” on TCP port 33335. The XOR key used for decoding configuration is 0xDFEDDEEF, and a hardcoded password list is included for the brute force attack function.

Figure 25: Hard-coded username/password list


Figure 25: Hard-coded username/password list

The attacking command packet resembles those seen in previous Mirai variants.

Figure 26: C2 command packets


Figure 26: C2 command packets

Condi

Condi’s downloader script was retrieved using multiple protocols to enhance the infection rate.

Figure 27: Exploit packet


Figure 27: Exploit packet

Figure 28: The script file "jack5tr.sh"


Figure 28: The script file “jack5tr.sh”

Condi is executed with the parameter “work,” which is included in the first packet sent to the C2 server “bn[.]networkbn[.]click.” The command remains consistent with the version distributed last year, retaining the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system.

Figure 29: C2 session


Figure 29: C2 session

It also scans active processes and cross-references with predefined strings to terminate processes with matching names.

Figure 30: Check process


Figure 30: Check process

Based on its selling page, Condi has updated its attacking methods, as shown below.

Figure 31: Condi’s attacking methods


Figure 31: Condi’s attacking methods

Conclusion

As usual, botnets relentlessly target IoT vulnerabilities, continuously attempting to exploit them. Despite the discovery and provided remediation for the vulnerability CVE-2023-1389 last year, numerous campaigns still exploit it, resulting in significant peaks in our IPS telemetry. Users should be vigilant against DDoS botnets and promptly apply patches to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

BASH/Mirai.AEH!tr.dldr
ELF/Mirai.A!tr
ELF/Mirai.BSC!tr
ELF/Mirai.CDB!tr
ELF/Mirai.GG!tr
ELF/Mirai.L!tr
ELF/Moobot.A!tr
Linux/Mirai.BSC!tr
Linux/Mirai.CEA!tr
Linux/Mirai.CJS!tr
Linux/Mirai.F!tr
Linux/Mirai.IZ1H9!tr
ELF/Mirai.AGIT!tr
ELF/Gafgyt.BJ!tr
ELF/Gafgyt.VE!tr
ELF/Gafgyt.WN!tr.bdr
Linux/Gafgyt.ARN!tr
Linux/Agent.AAO!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard Web Filtering Service blocks the C2 servers and downloads URLs.

FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:

    CVE-2023-1389: TP-Link.Archer.AX21.Unauthenticated.Command.Injection

We also suggest that organizations go through Fortinet’s free cybersecurity training module: Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

C2

fjsnsinfinsf[.]ngcv[.]top
45[.]155[.]91[.]135
rooty[.]cc
bn[.]networkbn[.]click
5[.]10[.]249[.]153
195[.]62[.]32[.]227

URLs

hxxp://91[.]92[.]253[.]70
hxxp://94[.]156[.]8[.]244
hxxp://103[.]188[.]244[.]189
hxxp://185[.]224[.]128[.]34
hxxp://5[.]10[.]249[.]153
hxxp://195[.]62[.]32[.]227

Files

6104674bfa58ac11c697062d6068c568384f13037d1a146dbe25cd001104ca8b
f33a02781d60ca36f4ee56579c6d33846c2549ad7556bca499c73302cee17514
d02381634921d92358577c106180eba766b98a520c907870898b2c32d7de4547
0a3fbc79e742354c8fc82830fc3426f7f8d3b900260c06aa58e53547b48feaa6
475487bf7b96fe3da321dac0b5f59231651fc3d71f86bf9580bfa77e59b0f2c8
a3e8493f2fb38b7f2ba309809577281d3cc25bee9fb3b5c0053a6e89de1dbce7
5e6deba076cbe7b9833d0ddee7c8065e91d13f1fc2a5c7daf4db36da458d689a
29ef4c5d9172b09d6abc08da800a5a09b460b98aaadf1aa29edda81300fcc609
e7af5f1d5d68f75ee03a37ee8016695e35edaae528cdba4ab7b9a90570a1e4be
b45906c711ed4f109a10cfaffa0b4c18e56c6f6ddc8d100c87e0a0349a30293d
e9e8fc16c586f51eb2f86db5a60e54b46d66275fdd6df8fb72e96e50014a1290
b731fe97dc723d0d5a51fe8203b33f16a51183b3dab4c9c8ee7bd304462ad192
1ffc3c457eb84aa36cd4bc7f3d0dc9a6b8079d63c2bab03c3a646906152876c0
d8b4d8950ec1a3f812af69d261f452aae2b19d3bced8551f9178e40ca0c1bcf8
8562c9ad26ab3ad7d16ac43c9dcbf600d5319e5432d72dc684983cc5f64ff41e
092b3a57ee4ecd64591616da6ce0cfb9f01930dbeb179f05e1dbbdbc918098ac
092b3a57ee4ecd64591616da6ce0cfb9f01930dbeb179f05e1dbbdbc918098ac
c65f86d5917025a8674bf9758870decd923ea2662d6611a1365303f4fe55fa26
65f64b270a10255db1e55a158a02829a3af982cbcd4b56f14e58132cbb45e6a9
a383319a28d50e8c280646dc53a2f33fec62ad69ef4948dae76a4f1f6fe2f159
7ef190f05fe9be5d7f38bdb556fffdb7d9b5633ddf60cc43b98c09887a292c49
7322da39ce05e7496fcaef6602a15266943a59a5027e5ea97344133d42e0f6e3
a1c14e99cc8490a4d503ffd660e2d881fa5d766a4288eea328f73bd8ee99078d
a7d3ffbb3edff1956d7422dd04305d8c3ac16418e2eb190ed9a08a1c275c5e8e
1427deedaafd5345aa3c41d39b14b23a454ed894c73f3c9224cd0b51c88afcfa
f97c9802324eeb0ebdfc15ce3e390c8cca5a9062c3348f7d2b5b00d1efa49508
3307e4d1daefca1eeb1ee4a6dea7738594076aa04f3e7e470a8b2ae32b9e4893
86fe87891311228b58a606114a2d41d94b520c5c4be6ff6bc0add45f5b6250ef
b9962c3e066904cf8df05f60b9bd21d979466aca64596d2b7557be7fa4358c4d
a48807aaa7be63c41bbabcf55d40cba416bc23432f247e4038ed0cd32fd05519
4119530c4dba8a53ba081094ca163f28a51bd37c6ee40b4aa55097939ec1df38
2be7481bfec8fcbb370afa00e9befa97000e7aa987a17cd6c48fc9f2d0b60110
b605570db3158ba355552b5b638e7df4b0888d56d206004d9af6901c4770c75f
0dbf4c327df0159305ffc9776ad2fbdd655fe513712f75e360e211aa6686f69a
ae2d6b41150d61b828368847a0eba51d4562fa2bae4478c10940f5e3e3e46c6b
581adb7645ca54dbc3a043ee39a09037a7b5f572c1b8c137cb0c751b26ff9ebd
18753e0c31c2100889f0e085ba03eb1c616dcc50606d9733574b68e75be2ee7a
123a392cfa9114daeab28976f5ce740da4288d6ac516b5afbf1ea17e28eaada1
8317c084d08450a220fe7f38ce6b1a767b2e8776f8f4a436b84b912476b00cbc
94c9297951a48fcc0f22dac94da599bc2651c757d27cb94c9de16d00ea5af04f
fdcfaa03f99233d8aecc17098833d82860d68c12440c5ff7e898b50891cf65bf
045b8b9f7bb69e4450d49eb6197722b9b58a8f0e7af479640ea6f666553db4da
96c8ec9a54b0fef4bca739b47d943c295c766c7759d0f3a5a891585609019f42
1a6964f76f573dd50f41ee8dc4c5b29868807af6326faee92ad9ffaeba3dc5a3
e220a88f3c07a6ece0adcbeca93fd6024d9f63a971c4aa732ec90930e386b5aa
42deb408f0861891e49205fce2496cfe9a6c0cbf86f5d1c48bd88f9120631b1d
f19d69486f380f7f22482b17eab7343da36229a4e60b9f3938f7846002ff0fa2
8721dc3617731683a34eb7c8d9a688195d2db1efa8da3084edbe04f76cb0d047
7e8061fab5ad856312040a78674932dcd08b6926a8cc8a5de91252c590b4f6ba
9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0
46d085e7c36ec4ada5f630c47b1ed418ceae077832d6fc2e7730af2715fb954d
cc197f92fb6564575d7bd64958bc96be9e0c09d06fa19449a0ad3dc50f09ddb6
4e94d9808d5c3c414100abb60233614fcbad2e884c2fd851cb9d694186165a4f
bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520
396b1e21260b374a45ba703239bc29b1345dea89ad9d54db0b7f312aa95c6984
1a1a8f9ccb66f37f14b5cf2a77e9e8d47400bdec957d9f20729e5c81bfc78be6
699d00adf4e8c070d2b955b23054e945c78267beb2ec9cc580130771200e5ea3
fdae7846f75c7b65130e73bafda28f442913e403534cb91657c21c2426869f2f
25f3558a2cdf5aca294254004954bb10d08a0ef0f913f3ddd1f8f3cc71f114dd
12273047ec3eb4e1318c26ec7c10b77e5d631738da126880e248d7f54dfa5718
F7faaadceebe69bec33096166a54ed9b593b1b690ba9594b4c353303f55101aa
e6d1df0621b10d051ebba4507ac3d14f4d206ab56bafbc3510db542d4c4470d9
4480d72a324f519d3a630bf2ef7b118f4e388c5bccdd0a5465bafd2253daa619
4509e84a9abcb732f0ee90bf27dd300247b23b6dac9b41cd01f59d6384b5348a
08166a0d2fe65a3ad8b289cb2714c3a150635e29664bff24e5befc6b48526899
ed85c3e25bac63b7e232ac3cfd91116bf7c64f1c4c96b933d5715bbe055ffc89
f0d62aec4a2a5353a6416bbd403969fc0617d08aeb8eb9e09de4d4068a2fd9f3
8cfdcaf4611fd855672ad561de196417deea97341f45efd02e97e26d4674291d
e73bbef9c7fcaf610c858be52a375b517bc62fd7e05dd867f928cd353536de16
c192146c8311694342f73a19cfe69ecc53f3f1d6cab006526d2daa5134846357
ab5ee18fd3df5a2d7f2d84c75b33fd2f73b76c8e0d2df278d9ded40943d16911
ef30bd34f8c11e042e2600c62cf702515c94290207cf72fad1ec0d277221bb70
0571c16d0f2d0267b354f81fdbfb49738f3cb867371b9ef0d3ffe1020fb9f9cf
bf5e6947f6829d17b8a8e5984366efcf5592d8f6bc7ec6d7e85b1872bebcb24a
549d3aac3b42f702f29ab27c653c0f239a51601a6aeb50564beda614f8f1f33e

Source: Original Post