Two malware botnets, dubbed ‘Ficora’ and ‘Capsaicin,’ are escalating their efforts to exploit vulnerabilities in D-Link routers, particularly targeting devices with outdated firmware or end-of-life models. This surge underscores significant risks for both individual users and organizations relying on these vulnerable routers.
D-Link Devices in the Crosshairs
The attacks have centered on popular D-Link routers, including DIR-645, DIR-806, GO-RT-AC750, and DIR-845L—models widely deployed across homes and businesses. These devices are being breached using a series of known exploits tied to vulnerabilities CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
Once access is gained, attackers leverage weaknesses in D-Link’s management interface (HNAP), particularly via the GetDeviceSettings action, to execute malicious commands. This allows the botnets to:
- Steal sensitive data.
- Execute shell scripts for further compromise.
- Utilize the compromised devices for distributed denial-of-service (DDoS) attacks.
Ficora Botnet: The Persistent Threat
Overview and Activity Patterns
Ficora, a variant of the notorious Mirai botnet, has tailored its attack methods to specifically target D-Link routers. According to Fortinet’s telemetry, the botnet’s activities are geographically dispersed, with notable spikes observed in October and November. Japan and the United States appear to be hotspots for these infections.
Ficora employs a shell script named ‘multi’ for downloading and deploying its payloads. The script uses various tools, including wget
, curl
, ftpget
, and tftp
, to infect devices.
Advanced Brute-Force Capabilities
The malware comes equipped with a brute-force component that uses hardcoded credentials to compromise additional Linux-based devices. Its capability to adapt to multiple hardware architectures—spanning arm, mips, and x86—further amplifies its reach.
- UDP Flooding: Overwhelms target servers with massive amounts of UDP packets.
- TCP Flooding: Exploits TCP connection resources to paralyze targets.
- DNS Amplification: Amplifies the attack impact by misusing DNS servers.
Capsaicin Botnet: A Burst of Devastation
Short but Impactful
In contrast to Ficora’s prolonged activity, Capsaicin delivered a short-lived yet intense campaign between October 21 and 22, focusing on East Asian countries. Believed to originate from the Keksec group, known for developing other malware like ‘EnemyBot,’ Capsaicin exploits vulnerabilities similarly but with a distinct approach.
Infection and Payload Deployment
Capsaicin relies on a downloader script (‘bins.sh’) to retrieve binaries labeled with the prefix ‘yakuza’, designed for various hardware architectures. Once installed, it actively seeks out and disables other botnet payloads operating on the same host, ensuring its dominance.
Surveillance and DDoS Features
While its DDoS capabilities align with Ficora’s (UDP, TCP, and DNS floods), Capsaicin stands out for its ability to collect detailed host information and exfiltrate it to its command and control (C2) server.
Defending Against Botnet Attacks
The rise of Ficora and Capsaicin highlights the importance of robust defenses against botnet threats. Securing routers and IoT devices is crucial to preventing these infections.
Recommended Actions:
- Update Firmware: Always ensure devices are running the latest firmware. This addresses known vulnerabilities.
- Replace End-of-Life Devices: Routers no longer supported with updates should be replaced with newer models.
- Strengthen Credentials: Replace default admin credentials with strong, unique passwords.
- Disable Remote Access: Turn off remote interfaces if they’re unnecessary to reduce attack surfaces.
Botnet | Origin | Primary Targets | Key Features | DDoS Methods |
---|---|---|---|---|
Ficora | Mirai Variant | Japan, United States | Brute-forcing, Multi-architecture compatibility, Exploits D-Link firmware vulnerabilities | UDP, TCP, DNS floods |
Capsaicin | Kaiten Variant (Keksec) | East Asia | Disables rival malware, Collects host data, Short burst of activity | UDP, TCP, DNS floods |
While these botnets are sophisticated and adaptive, following these best practices significantly reduces the chances of falling victim to such malware. Addressing vulnerabilities early and maintaining a secure network infrastructure remains critical.