Moobot, a variant of Mirai botnet, has resurfaced in an attack wave that targets both the new and old vulnerable D-Link routers. Researchers from Palo Alto Networks Unit 42 discovered the attacks in early August. Botnet operators usually offer DDoS services mostly sold to third-party users by threat actors who want to disrupt online services and websites.

Attack campaign details

The attackers generally use the compromised devices to conduct DDoS attacks by compromising the devices.
  • By exploiting the vulnerability flaws, the operators can execute remote code on targets and download malware binaries.
  • Once the malware decodes the hardcoded address from the system configuration, the newly captured routers are registered on the C2.
  • Hacked routers are used to launch DDoS attacks on an IP address and port number controlled by Moobot's operators.

Vulnerability list

Moobot is now targeting four critical vulnerabilities in both old and new D-Link devices, including:
  • CVE-2022-28958 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
  • CVE-2022-26258 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability

To fix these flaws, the vendor provided security upgrades, although not all users have yet installed the fixes.

Moobot’s first occurrence 

MooBot was first disclosed by Fortinet analysts in December 2021 targeting a flaw in Hikvision cameras. This flaw allowed it to expand its network and include a large number of devices in its DDoS army.

How to protect yourself?
To mitigate potential threats, D-Link device users are highly recommended to apply patches and upgrades wherever applicable. The victims should reset the system, change the admin password, and install the latest security updates.
Cyware Publisher