The MANGA(aka Dark Mirai) botnet operators’ exploitation of a vulnerability in the TP-Link TL-WR4840N EU V5  has come to light. The vulnerability allows hackers to execute codes remotely.

Botnets keep evolving—keep getting better— to target new vulnerabilities for breaching the systems.

  • MANGA is exploiting a bug labelled CVE-2021-41653, which allows the attackers to execute codes remotely on the device.
  • A proof of concept of the vulnerability being exploited was published in November. Not many had installed the patch.
  • Two weeks after TP-Link released the firmware, MANGA started exploiting the vulnerability.

Also read,

MANGA operators are using the RCE flaw to force the devices to download and carry out a malicious script.

  • The malicious script (tshit[.]sh) when executed, downloads the main binary payloads with two requests.
  • However, the actors still require authentication for this exploit, which is easy to overcome if the device has default credentials.
  • Just like the basic variant of Mirai, MANGA identifies infected machines’ architecture and downloads matching payloads. Subsequently, it blocks connections to most targeted ports to stop other botnets from infecting the captured device.
  • Ultimately, the botnet waits for a command from the C2 server to carry out a Denial-of-Service (DoS) attack.

Unpatched devices are vulnerable and can affect the system profoundly. Therefore, please keep your devices updated.