Mirari and Kaiten Botnet Variants Exploit Unpatched Routers
Attackers exploiting nearly decade-old D-Link router vulnerabilities drove a sharp rise in botnet activity in 2024 through variants of the Mirari and Kaiten taking advantage of unpatched devices.
See Also: How to Take the Complexity Out of Cybersecurity
FortiGuard Labs reported that operators of botnets known as Ficora and Capsaicin exploit weaknesses in the home network administration protocol, a proprietary network protocol acquired by Cisco Systems in 2008. Among the flaws being actively used are CVE-2015-2051, CVE-2019-10891, CVE-2022-37056 and CVE-2024-33112.
The vulnerabilities affect D-Link DIR-645, DIR-806, GO-RT-AC750 and DIR-845L routers. Fortinet said Ficora attacks originated from servers in the Netherlands, targeting systems globally. Ficora is a Mariant variant. Capsaicin, a Kaiten variant, incidents have been concentrated in East Asia, peaking around Oct. 21 and Oct. 22.
Ficora deploys a shell script named multi to download malware tailored to various Linux architectures, including ARM and PowerPC. It employs ChaCha20 encryption to hide its configuration, which includes command and control server domains and attack parameters.
The malware executes brute force attacks with embedded username-password lists, disabling competing malware such as dvrHelper to dominate the victim host.
Capascin downloads and executes binaries such as yakuza.x86 targeting multiple architectures. Once active, it communicates with a C2 server to relay victim operating system information and execute attack commands. Researchers said it also neutralizes some known competitor botnet malware.
Its features include DDoS commands and a built-in help menu for attackers, indicating a sophisticated design linked to the Keksec group’s botnet development framework.