Malware botnets are currently exploiting Realtek and Cacti vulnerabilities.
Between January and March 2023, several malware botnets were identified that actively exploited the Cacti and Realtek vulnerabilities to spread ShellBot and Moobot.
The Realtek Jungle SDK is currently vulnerable to a critical remote code execution bug (CVE-2021-35394), while the monitoring tool error management of Cacti contains a severe command injection vulnerability (CVE-2022-46169).
Several malicious botnets, including Fodcha, RedGoBot, Mirai, Gafgyt and Mozi, have exploited these two vulnerabilities in the past.
In 2023, Fortinet warns that malicious activity is increasing significantly and vulnerable exposed network devices are being targeted to be recruited for DDoS (distributed denial of service) swarms.
Although Fortinet's report does not explicitly identify whether the same malicious actors have spread Moobot and ShellBot, they observed payloads exploiting similar vulnerabilities at the same time waves of attacks.
Moobot infections
In December 2021, the Moobot - a variant of the Mirai - was first observed attacking Hikvision cameras. The following September, the malware was updated to Exploit multiple security vulnerabilities on D-Link products and systems.
Currently, this malware exploits CVE-2021-35394 and CVE-2022-46169 on vulnerable computers to download a script with the configuration details and initiate communication with the C2 server.
Moobot relays and receives regular heartbeat messages until it detects a heartbeat. incoming order, which prompts his attack.
An impressive feature of the newer Moobot variants is their ability to detect and terminate processes associated with other established bots, allowing them to exploit the full capabilities of a host victim to launch devastating DDoS attacks.
ShellBot attacks
After the initial detection of ShellBot in January 2023, the malware is still active to this day and particularly targets Cacti vulnerabilities. Fortinet noted three different versions of the malware, suggesting that its creators are actively promoting it.
By establishing a connection to C2, Variant 1 allows itself to receive any of these commands:
- ps - perform port scan on the specified target and port
- nmap - perform an Nmap port scan on a specified port range
- rm - delete files and folders
- version - sending version information
- down - download the file
- udp - start the UDP DDoS attack
- back - inject reverse shell
The second variant of ShellBot, which first appeared in March 2023 and already counts hundreds of victims, has a much more extensive set of commands, as shown below:
Interestingly, the malware is equipped with a sophisticated exploit enhancement module that can gather news and public advisories from PacketStorm and milw0rm.
To protect against Mootbot and ShellBot, it is important to deploy strong passwords for administrators and install security updates that fix existing vulnerabilities. By taking these measures, you will be able to protect your business from potential risks.
If your device is no longer supported by its vendor, it is necessary to replace it with a modern model to ensure continuous security updates.
Source of information: bleepingcomputer.com
