New Condi Malware Hijacks TP-Link Wi-Fi Routers for Botnet DDoS Attacks
The newly named malware Condition has been observed exploiting a security vulnerability in the TP-Link Archer AX21 (AX1800) Wi-Fi router to tie devices into a distributed denial-of-service (DDoS) botnet.
Fortinet FortiGuard Labs said the campaign has been on the rise since late May 2023. Condi is the work of a threat actor who uses the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez.
“Telegram channels started in May 2022, and threat actors have monetized their botnets by providing DDoS services and selling malware source code,” said security researchers Joie Salvio and Roy Tay.
Analysis of the malware artifacts reveals its ability to stop other competing botnets on the same host. However, it lacks a persistence mechanism, meaning the program cannot survive system reboots.
To overcome this limitation, the malware deletes some binaries which are used to shutdown or reboot the system –
- /usr/sbin/reboot
- /usr/bin/reboot
- /usr/sbin/turn off
- /usr/bin/turn off
- /usr/sbin/turn off
- /usr/bin/turn off
- /usr/sbin/stop
- /usr/bin/stop
Condi, unlike some botnets that spread via brute-force attacks, utilizes a scanner module that checks for vulnerable TP-Link Archer AX21 devices and, if so, executes shell scripts fetched from remote servers to store malware.
Specifically, the scanner selects routers that are vulnerable to CVE-2023-1389 (CVSS score: 8.8), a command injection bug which was previously exploited by the Mirai botnet.
Fortinet said it found other Condi samples exploiting several known security flaws for deployment, indicating that unpatched software is at risk of becoming a target for botnet malware.
Setting aside aggressive monetization tactics, Condi aims to snare tools to create robust DDoS botnets that other actors can hire to orchestrate TCP and UDP flood attacks on websites and services.
“Malware campaigns, especially botnets, are always looking for ways to grow,” the researchers said. “Exploiting a newly discovered (or published) vulnerability has always been one of their favorite methods.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The developments came when the AhnLab Security Emergency Response Center (ASEC) revealed that poorly managed Linux servers were breached to deliver DDoS bots such as ShellBot and Tsunami (aka Kaiten) as well as surreptitiously misappropriate resources for cryptocurrency mining.
“Tsunami source code is publicly available so it is used by many threat actors,” ASEC said. “Among its various uses, it is mostly used in attacks against IoT devices. Of course, it is also consistently used to target Linux servers.”
Chain of attack requires server compromise using a dictionary attack to execute rogue shell scripts capable of downloading next-stage malware and maintaining persistent backdoor access by adding the public key to the .ssh/authorized_keys file.
The Tsunami botnet malware used in the attack is a new variant called Ziggy which has significant similarities to the original source code. This further uses Internet relay chat (IRC) for command-and-control (C2).
Also used during an intrusion is an additional set of tools for privilege escalation and modifying or deleting log files to hide traces and hinder analysis.
“Administrators should use hard-to-guess passwords for their accounts and change them periodically to protect Linux servers from brute force attacks and dictionary attacks and update to the latest patches to prevent vulnerability attacks,” ASEC said.
