Botnets Continue to Target Aging D-Link Vulnerabilities

    Friday, December 27, 2024 In: Threat Research Print

    Date: 12/27/2024

    Severity: Medium

    Summary

    In October and November 2024, a surge in activity was observed by two botnets, the Mirai variant "FICORA" and the Kaiten variant "CAPSAICIN," both exploiting aging D-Link vulnerabilities. These vulnerabilities, primarily through the HNAP interface, allow remote attackers to execute malicious commands. The flaws, first exposed nearly a decade ago, are linked to various CVEs, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. Despite being well-known, these vulnerabilities continue to facilitate the spread of the botnets, with attackers reusing older techniques to compromise devices.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://103.149.87.69/multi

    http://103.149.87.69/la.bot.arc

    http://103.149.87.69/la.bot.arm

    http://103.149.87.69/la.bot.arm5

    http://103.149.87.69/la.bot.arm6

    http://103.149.87.69/la.bot.arm7

    http://103.149.87.69/la.bot.m68k

    http://103.149.87.69/la.bot.mips

    http://103.149.87.69/la.bot.mipsel

    http://103.149.87.69/la.bot.powerpc

    http://103.149.87.69/la.bot.sh4

    http://103.149.87.69/la.bot.sparc

    http://87.11.174.141/bins.sh

    http://pirati.abuser.eu/yakuza.yak.sh

    http://pirati.abuser.eu/yakuza.arm5

    http://pirati.abuser.eu/yakuza.arm6

    http://pirati.abuser.eu/yakuza.arm7

    http://pirati.abuser.eu/yakuza.i586

    http://pirati.abuser.eu/yakuza.i686

    http://pirati.abuser.eu/yakuza.m68k

    http://pirati.abuser.eu/yakuza.mips

    http://pirati.abuser.eu/yakuza.mipsel

    http://pirati.abuser.eu/yakuza.ppc

    http://pirati.abuser.eu/yakuza.sparc

    http://pirati.abuser.eu/yakuza.x86

    http://87.10.220.221/bins.sh

    http://87.10.220.221/yakuza.sh

    http://87.10.220.221/yakuza.arm4

    http://87.10.220.221/yakuza.arm5

    http://87.10.220.221/yakuza.arm6

    http://87.10.220.221/yakuza.arm7

    http://87.10.220.221/yakuza.i586

    http://87.10.220.221/yakuza.i686

    http://87.10.220.221/yakuza.m68k

    http://87.10.220.221/yakuza.mips

    http://87.10.220.221/yakuza.mipsel

    http://87.10.220.221/yakuza.ppc

    http://87.10.220.221/yakuza.sparc

    http://87.10.220.221/yakuza.x86

    ru.coziest.lol

    f.codingdrunk.cc

    www.codingdrunk.in

    eighteen.pirate

    nineteen.libre

    75cents.libre

    2joints.libre

    fortyfivehundred.dyn

    21savage.dyn

    imaverygoodbadboy.libre

    le.codingdrunk.in

    pirati.abuser.eu

    IP Address

    87.11.174.141

    103.149.87.69

    87.10.220.221

    45.86.86.60

    194.110.247.46

    Hash

    f71dc58cc969e79cb0fdfe5163fbb9ed4fee5e13cc9407a11d231601ee4c6e23

ea83411bd7b6e5a7364f7b8b9018f0f17f7084aeb58a47736dd80c99cfeac7f1

48a04c7c33a787ef72f1a61aec9fad87d6bd9c49542f52af7e029ac83475f45d

18c92006951f93a77df14eca6430f32389080838d97c9e47364bf82f6c21a907

9b161a32d89f9b19d40cd4c21d436c1daf208b5d159ffe1df7ad5fd1a57610e5

faeea9d5091384195e87caae9dd88010c9a2b3b2c88ae9cac8d79fd94f250e9f

10d7aedc963ea77302b967aad100d7dd90d95abcdb099c5a0a2df309c52c32b8

7f6912de8bef9ced5b9018401452278570b4264bb1e935292575f2c3a0616ec4

a06fd0b8936f5b2370db5f7ec933d53bd8a1bf5042cdc5c052390d1ecc7c0e07

764a03bf28f9eec50a1bd994308e977a64201fbe5d41337bdcc942c74861bcd3

df176fb8cfbc7512c77673f862e73833641ebb0d43213492c168f99302dcd5e3

ac2df391ede03df27bcf238077d2dddcde24cd86f16202c5c51ecd31b7596a68

ca3f6dce945ccad5a50ea01262b2d42171f893632fc5c5b8ce4499990e978e5b

afee245b6f999f6b9d0dd997436df5f2abfb3c8d2a8811ff57e3c21637207d62

ec508df7cb142a639b0c33f710d5e49c29a5a578521b6306bee28012aadde4a8

8349ba17f028b6a17aaa09cd17f1107409611a0734e06e6047ccc33e8ff669b0

b3ad8409d82500e790e6599337abe4d6edf5bd4c6737f8357d19edd82c88b064

ec87dc841af77ec2987f3e8ae316143218e9557e281ca13fb954536aa9f9caf1

784c9711eadceb7fedf022b7d7f00cff7a75d05c18ff726e257602e3a3ccccc1

bde6ef047e0880ac7ef02e56eb87d5bc39116e98ef97a5b1960e9a55cea5082b

c7be8d1b8948e1cb095d46376ced64367718ed2d9270c2fc99c7052a9d1ffed7

4600703535e35b464f0198a1fa95e3668a0c956ab68ce7b719c28031d69b86ff

6e3ef9404817e168c974000205b27723bc93abd7fbf0581c16bb5d2e1c5c6e4a

32e66b87f47245a892b102b7141d3845540b270c278e221f502807758a4e5dee

540c00e6c0b53332128b605b0d5e0926db0560a541bb13448d094764844763df

b74dbd02b7ebb51700f3c5900283e46570fe497f9b415d25a029623118073519

148f6b990fc1f1903287cd5c20276664b332dd3ba8d58f2bf8c26334c93c3af5

464e2f1faab2a40db44f118f7c3d1f9b300297fe6ced83fabe87563fc82efe95

b699cd64b9895cdcc325d7dd96c9eca623d3ec0247d20f39323547132c8fa63b

1007f5613a91a5d4170f28e24bfa704c8a63d95a2b4d033ff2bff7e2fe3dcffe

7a815d4ca3771de8a71cde2bdacf951bf48ea5854eb0a2af5db7d13ad51c44ab

d6a2a22000d68d79caeae482d8cf092c2d84d55dccee05e179a961c72f77b1ba

7ab36a93f009058e60c8a45b900c1c7ae38c96005a43a39e45be9dc7af9d6da8

803abfe19cdc6c0c41acfeb210a2361cab96d5926b2c43e5eb3b589a6ed189ad

7b29053306f194ca75021952f97f894d8eae6d2e1d02939df37b62d3845bfdb7

59704cf55b9fa439d6f7a36821a50178e9d73ddc5407ff340460c054d7defc54

aaa49b7b4f1e71623c42bc77bb7aa40534bcb7312da511b041799bf0e1a63ee7

1ca1d5a53c4379c3015c74af2b18c1d9285ac1a48d515f9b7827e4f900a61bde

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://87.10.220.221/yakuza.i586" or url like "http://87.10.220.221/yakuza.i586" or userdomainname like "http://pirati.abuser.eu/yakuza.yak.sh" or url like "http://pirati.abuser.eu/yakuza.yak.sh" or userdomainname like "http://87.10.220.221/yakuza.arm7" or url like "http://87.10.220.221/yakuza.arm7" or userdomainname like "http://pirati.abuser.eu/yakuza.mips" or url like "http://pirati.abuser.eu/yakuza.mips" or userdomainname like "http://103.149.87.69/la.bot.arc" or url like "http://103.149.87.69/la.bot.arc" or userdomainname like "http://87.10.220.221/yakuza.i686" or url like "http://87.10.220.221/yakuza.i686" or userdomainname like "http://pirati.abuser.eu/yakuza.x86" or url like "http://pirati.abuser.eu/yakuza.x86" or userdomainname like "http://103.149.87.69/la.bot.sh4" or url like "http://103.149.87.69/la.bot.sh4" or userdomainname like "http://103.149.87.69/la.bot.arm5" or url like "http://103.149.87.69/la.bot.arm5" or userdomainname like "http://pirati.abuser.eu/yakuza.arm7" or url like "http://pirati.abuser.eu/yakuza.arm7" or userdomainname like "ru.coziest.lol" or url like "ru.coziest.lol" or userdomainname like "http://pirati.abuser.eu/yakuza.mipsel" or url like "http://pirati.abuser.eu/yakuza.mipsel" or userdomainname like "http://pirati.abuser.eu/yakuza.i686" or url like "http://pirati.abuser.eu/yakuza.i686" or userdomainname like "http://103.149.87.69/la.bot.arm" or url like "http://103.149.87.69/la.bot.arm" or userdomainname like "http://87.10.220.221/yakuza.sparc" or url like "http://87.10.220.221/yakuza.sparc" or userdomainname like "pirati.abuser.eu" or url like "pirati.abuser.eu" or userdomainname like "http://103.149.87.69/la.bot.powerpc" or url like "http://103.149.87.69/la.bot.powerpc" or userdomainname like "http://pirati.abuser.eu/yakuza.arm5" or url like "http://pirati.abuser.eu/yakuza.arm5" or userdomainname like "http://103.149.87.69/la.bot.mips" or url like "http://103.149.87.69/la.bot.mips" or userdomainname like "http://pirati.abuser.eu/yakuza.m68k" or url like "http://pirati.abuser.eu/yakuza.m68k" or userdomainname like "http://103.149.87.69/multi" or url like "http://103.149.87.69/multi" or userdomainname like "http://87.10.220.221/yakuza.ppc" or url like "http://87.10.220.221/yakuza.ppc" or userdomainname like "http://87.10.220.221/yakuza.arm4" or url like "http://87.10.220.221/yakuza.arm4" or userdomainname like "http://87.10.220.221/yakuza.x86" or url like "http://87.10.220.221/yakuza.x86" or userdomainname like "http://pirati.abuser.eu/yakuza.arm6" or url like "http://pirati.abuser.eu/yakuza.arm6" or userdomainname like "http://103.149.87.69/la.bot.arm7" or url like "http://103.149.87.69/la.bot.arm7" or userdomainname like "http://87.10.220.221/yakuza.m68k" or url like "http://87.10.220.221/yakuza.m68k" or userdomainname like "http://87.10.220.221/bins.sh" or url like "http://87.10.220.221/bins.sh" or userdomainname like "http://103.149.87.69/la.bot.arm6" or url like "http://103.149.87.69/la.bot.arm6" or userdomainname like "http://103.149.87.69/la.bot.mipsel" or url like "http://103.149.87.69/la.bot.mipsel" or userdomainname like "http://87.10.220.221/yakuza.sh" or url like "http://87.10.220.221/yakuza.sh" or userdomainname like "http://103.149.87.69/la.bot.m68k" or url like "http://103.149.87.69/la.bot.m68k" or userdomainname like "http://103.149.87.69/la.bot.sparc" or url like "http://103.149.87.69/la.bot.sparc" or userdomainname like "http://87.11.174.141/bins.sh" or url like "http://87.11.174.141/bins.sh" or userdoainname like "http://pirati.abuser.eu/yakuza.i586" or url like "http://pirati.abuser.eu/yakuza.i586" or userdomainname like "http://pirati.abuser.eu/yakuza.ppc" or url like "http://pirati.abuser.eu/yakuza.ppc" or userdomainname like "http://pirati.abuser.eu/yakuza.sparc" or url like "http://pirati.abuser.eu/yakuza.sparc" or userdomainname like "http://87.10.220.221/yakuza.arm5" or url like "http://87.10.220.221/yakuza.arm5" or userdomainname like "http://87.10.220.221/yakuza.arm6" or url like "http://87.10.220.221/yakuza.arm6" or userdomainname like "http://87.10.220.221/yakuza.mips" or url like "http://87.10.220.221/yakuza.mips" or userdomainname like "http://87.10.220.221/yakuza.mipsel" or url like "http://87.10.220.221/yakuza.mipsel" or userdominname like "f.codingdrunk.cc" or url like "f.codingdrunk.cc" or userdomainname like "www.codingdrunk.in" or url like "www.codingdrunk.in" or userdomainname like "eighteen.pirate" or url like "eighteen.pirate" or userdomainname like "nineteen.libre" or url like "nineteen.libre" or userdomainname like "75cents.libre" or url like "75cents.libre" or userdomainname like "2joints.libre" or url like "2joints.libre" or userdomainname like "fortyfivehundred.dyn" or url like "fortyfivehundred.dyn" or userdomainname like "21savage.dyn" or url like "21savage.dyn" or userdomainname like "imaverygoodbadboy.libre" or url like "imaverygoodbadboy.libre" or userdomainname like "le.codingdrunk.in" or url like "le.codingdrunk.in"

    Detection Query 2

    dstipaddress IN ("45.86.86.60","87.10.220.221","194.110.247.46","87.11.174.141","103.149.87.69") or ipaddress IN ("45.86.86.60","87.10.220.221","194.110.247.46","87.11.174.141","103.149.87.69") or publicipaddress IN ("45.86.86.60","87.10.220.221","194.110.247.46","87.11.174.141","103.149.87.69") or srcipaddress IN ("45.86.86.60","87.10.220.221","194.110.247.46","87.11.174.141","103.149.87.69")

    Detection Query 3

    sha256hash IN ("b3ad8409d82500e790e6599337abe4d6edf5bd4c6737f8357d19edd82c88b064","f71dc58cc969e79cb0fdfe5163fbb9ed4fee5e13cc9407a11d231601ee4c6e23","764a03bf28f9eec50a1bd994308e977a64201fbe5d41337bdcc942c74861bcd3","6e3ef9404817e168c974000205b27723bc93abd7fbf0581c16bb5d2e1c5c6e4a","bde6ef047e0880ac7ef02e56eb87d5bc39116e98ef97a5b1960e9a55cea5082b","803abfe19cdc6c0c41acfeb210a2361cab96d5926b2c43e5eb3b589a6ed189ad","b74dbd02b7ebb51700f3c5900283e46570fe497f9b415d25a029623118073519","ec508df7cb142a639b0c33f710d5e49c29a5a578521b6306bee28012aadde4a8","8349ba17f028b6a17aaa09cd17f1107409611a0734e06e6047ccc33e8ff669b0","c7be8d1b8948e1cb095d46376ced64367718ed2d9270c2fc99c7052a9d1ffed7","1ca1d5a53c4379c3015c74af2b18c1d9285ac1a48d515f9b7827e4f900a61bde","ec87dc841af77ec2987f3e8ae316143218e9557e281ca13fb954536aa9f9caf1","df176fb8cfbc7512c77673f862e73833641ebb0d43213492c168f99302dcd5e3","d6a2a22000d68d79caeae482d8cf092c2d84d55dccee05e179a961c72f77b1ba","aaa49b7b4f1e71623c42bc77bb7aa40534bcb7312da511b041799bf0e1a63ee7","faeea9d5091384195e87caae9dd88010c9a2b3b2c88ae9cac8d79fd94f250e9f","7b29053306f194ca75021952f97f894d8eae6d2e1d02939df37b62d3845bfdb7","a06fd0b8936f5b2370db5f7ec933d53bd8a1bf5042cdc5c052390d1ecc7c0e07","b699cd64b9895cdcc325d7dd96c9eca623d3ec0247d20f39323547132c8fa63b","4600703535e35b464f0198a1fa95e3668a0c956ab68ce7b719c28031d69b86ff","48a04c7c33a787ef72f1a61aec9fad87d6bd9c49542f52af7e029ac83475f45d","18c92006951f93a77df14eca6430f32389080838d97c9e47364bf82f6c21a907","9b161a32d89f9b19d40cd4c21d436c1daf208b5d159ffe1df7ad5fd1a57610e5","148f6b990fc1f1903287cd5c20276664b332dd3ba8d58f2bf8c26334c93c3af5","ac2df391ede03df27bcf238077d2dddcde24cd86f16202c5c51ecd31b7596a68","7ab36a93f009058e60c8a45b900c1c7ae38c96005a43a39e45be9dc7af9d6da8","464e2f1faab2a40db44f118f7c3d1f9b300297fe6ced83fabe87563fc82efe95","ea83411bd7b6e5a7364f7b8b9018f0f17f7084aeb58a47736dd80c99cfeac7f1","10d7aedc963ea77302b967aad100d7dd90d95abcdb099c5a0a2df309c52c32b8","7f6912de8bef9ced5b9018401452278570b4264bb1e935292575f2c3a0616ec4","ca3f6dce945ccad5a50ea01262b2d42171f893632fc5c5b8ce4499990e978e5b","afee245b6f999f6b9d0dd997436df5f2abfb3c8d2a8811ff57e3c21637207d62","784c9711eadceb7fedf022b7d7f00cff7a75d05c18ff726e257602e3a3ccccc1","32e66b87f47245a892b102b7141d3845540b270c278e221f502807758a4e5dee","540c00e6c0b53332128b605b0d5e0926db0560a541bb13448d094764844763df","1007f5613a91a5d4170f28e24bfa704c8a63d95a2b4d033ff2bff7e2fe3dcffe","7a815d4ca3771de8a71cde2bdacf951bf48ea5854eb0a2af5db7d13ad51c44ab","59704cf55b9fa439d6f7a36821a50178e9d73ddc5407ff340460c054d7defc54")

    Reference: 

    https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities       


    Tags

    MalwareBotnetCVE-2022CVE - 2024CVE-2015CVE-2019

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.