FOCUS MODE
EXTRACT IOC
Threat Research

Cato CTRL, Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers

iocOne
Cato CTRL, Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
A recent global campaign has been identified that targets TP-Link Archer routers through a remote code execution (RCE) vulnerability (CVE-2023-1389). The campaign exploits these routers to create a botnet, with the potential for widespread impact given the number of vulnerable devices connected to the internet. The malware dropper utilizes a bash script to install and execute additional malware while maintaining evasion techniques. Affected: IoT devices, TP-Link Archer routers

Keypoints :

  • A global IoT botnet campaign targets TP-Link Archer routers through CVE-2023-1389.
  • Vulnerabilities persist due to infrequent firmware updates by users and negligence in security by manufacturers.
  • The botnet is believed to remain active, with over 6,000 vulnerable devices detected.
  • The campaign incorporates a malware dropper that executes code remotely and seeks to spread itself.
  • The threat actor associated with this campaign is potentially based in Italy and has shown adaptation tactics for evasion.

MITRE Techniques :

  • T1571: Application Layer Protocol – Utilizes HTTP to communicate and send commands.
  • T1071.001: Application Layer Protocol: Web Protocols – Employs web protocols for communication with a C2 server.
  • T1222.002: File Permissions Modification – Sets full permissions on the dropper file for execution.
  • T1070.004: Indicator Removal on Host – The malware dropper deletes itself post-execution to avoid detection.
  • T1083: File and Directory Discovery – The malware attempts to access various sensitive system files.
  • T1059.004: Command and Scripting Interpreter: Unix Shell – Executes shell commands on compromised devices.
  • T1499: Endpoint Denial of Service – Executes distributed denial-of-service (DDoS) attacks upon command.
  • T1190: Exploit Public-Facing Application – Exploits the CVE-2023-1389 vulnerability to spread across devices.
  • T1057: Process Discovery – Kills previous instances of itself to avoid detection.
  • T1005: Data from Local System – Reads configuration files potentially for malicious activities.
  • T1573: Encrypted Channel – Sets up an encrypted C2 communication channel.
  • T1095: Service Execution – Maintains a background thread for continuous operations.

Indicator of Compromise :

  • No IoC Found

Full Story: https://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/

Tags: EXPLOIT, DISCOVERY, INITIAL ACCESS, CLOUD, GOVERNMENT, LINUX, CRITICAL INFRASTRUCTURE, CHINA