Moobot has been exploiting a critical flaw in Hikvision products, which were sanctioned by the U.S. in the wake of human rights abuse. The botnet is based on the infamous Mirai and has been spreading in the wild for quite some time. First spotted in February, Moobot actors are still adding new CVEs as if to target new potential devices.
According to Fortinet, the botnet is abusing a critical command injection flaw to target unpatched devices and extract sensitive data from victims. However, the flaw was fixed in September with a firmware update (v 210628).
The exploited flaw doesn't need authentication and is triggered by sending a message to a publicly exposed device.
Among multiple payloads abusing CVE-2021-36260, researchers have found a downloader masked as ‘macHelper’ that downloads and fetches and runs Moobot with the ‘hikivision’ parameter.
Moreover, the botnet modifies basic commands, such as reboot, to impede its functionalities.
The DDoS army
Moobot adds the compromised device into its DDoS army, where C2 sends SYN flood command with targeted IP address and port number. Other commands include 0x06 for UDP flood, 0x04 for ACK flood, and 0x05 for ACK+PUSH flood. The captured packet data revealed a Telegram channel offering DDoS services in August 2020.
Similarities with other botnets
Researchers have spotted some similarities between Moobot and Mirai, such as data strings used in random alphanumeric generator functions. Additionally, the botnet has taken some elements from Satori as well.
Moobot is still spreading and targeting exposed, unpatched devices for nefarious purposes. In order to protect IoT devices from such botnets, experts recommend applying available security patches as soon as possible. Moreover, always isolate infected devices and change the default credentials of devices.