FortiGuard Labs observed increased activity from two botnets, the Mirai variant “FICORA” and the Kaiten variant “CAPSAICIN”.
FortiGuard Labs researchers observed a surge in activity associated with two botnets, the Mirai variant “FICORA” and the Kaiten variant “CAPSAICIN,” in late 2024. Both botnets target vulnerabilities in D-Link devices, particularly through the HNAP interface, allowing remote command execution. Some of the vulnerabilities exploited by the botnets are CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
“According to our IPS telemetry, attackers frequently reuse older attacks, which accounts for the continued spread of the “FICORA” and “CAPSAICIN” botnets to victim hosts and infected targets.” reads the report published by Fortinet. “This article looks at their infected traffic and offers insights into these botnets.”
The researchers noticed that the latest “FICORA” campaign targeted many countries worldwide, suggesting it was not employed in targeted attacks.
The “CAPSAICIN” botnet was highly active for only two days, October 21–22, 2024, primarily targeting East Asian countries.
The “FICORA” botnet downloads and executes a shell script called “multi,” which is removed after execution. The script uses various methods like “wget,” “ftpget,” “curl,” and “tftp” to download the malware. It first terminates processes with the same file extension as “FICORA” and then downloads and executes the malware targeting multiple Linux architectures. The malware’s configuration, including its C2 server domain and a unique string, is encrypted using the ChaCha20 algorithm.
The scanner used by the FICORA botnet includes a hard-coded username and password for its brute force attack function.
The malware “FICORA” is a variant of the Mirai malware, it includes DDoS attack capabilities using multiple protocols such as “UDP,” “TCP,” and “DNS.”
The “CAPSAICIN” botnet uses a downloader script (“bins.sh”) with a different IP address (“87.10.220[.]221”) to fetch the bot to target various Linux architectures. The malware kills known botnet processes to ensure it remains the only one running. Then it connects to its C2 server (“192.110.247[.]46”), sending the victim’s OS information and a unique nickname back to the server.
The “CAPSAICIN” malware appears to be a variant of the Keksec group’s botnets, likely developed from version 17.0.0 of their malware, based on hard-coded information found within it.
“Although the weaknesses exploited in this attack had been exposed and patched nearly a decade ago, these attacks have remained continuously active worldwide. FortiGuard Labs discovered that “FICORA” and “CAPSAICIN” spread through this weakness.” concludes the report. “Because of this, it is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring. These steps will help reduce the likelihood of malware being deployed through this vulnerability.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, FICORA botnet)