The Mirai malware botnet variant known as ‘MooBot’ has re-emerged in a new attack wave that started early last month. This targets vulnerable D-Link routers with a mix of old and new exploits.

MooBot was discovered by analysts at Fortinet in December 2021. Targeting a flaw in Hikvision cameras to spread quickly and enlist a large number of devices into its DDoS army.

As is customary for botnets searching for untapped reserves of susceptible devices they capture, the malware updated its targeting scope today.

The following significant D-Link device vulnerabilities are being targeted by MooBot right now, according to a study published by Unit 42 researchers at Palo Alto Networks:

  • CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258: D-Link Remote Command Execution Vulnerability
  • CVE-2022-28958: D-Link Remote Command Execution Vulnerability
Payload used for exploiting CVE-2022-26258 (Unit 42)
Payload used for exploiting CVE-2022-26258 (Unit 42)

The Issues

To fix these issues, the vendor published security upgrades, but not all users have yet installed them. The most recent of the two was made public in March and May of this year.

In order to acquire remote code execution on the targets and fetch the malware binary using arbitrary commands, MooBot’s operators use the holes’ low attack complexity.

MooBot's latest attack overview (Unit 42)
MooBot’s latest attack overview (Unit 42)

The freshly acquired routers are registered on the threat actor’s C2 when the virus decodes the configuration’s hardcoded address.

It’s important to note that the C2 addresses presented in Unit 42’s report differ from those in Fortinet’s write-up, indicating a refresher in the threat actor’s infrastructure.

Eventually, the captured routers participate in directed DDoS attacks against various targets, depending on what MooBot’s operators wish to achieve.

Typically, the threat actors sell DDoS services to others, so the botnet’s firepower is rented to anyone interested in causing downtimes or disruption to sites and online services.

Internet speed decreases, unresponsiveness, excessive router heat, and mysterious DNS configuration changes are all symptoms of botnet infections that users of compromised D-Link routers may experience.

The easiest approach to keep MooBot out is to update your D-Link router’s firmware when it becomes available. You should set up any outdated or unsupported hardware you use to restrict remote access to the admin panel.

If you have been compromised, use the physical button to reset the device. Then change your admin password and install the most recent vendor security updates.