Multiple malware bothers targets Cacti and Realtek vulnerabilities

April 11, 2023 - TuxCare PR Team

Experts in cybersecurity have lately identified a significant increase in the activity of botnets that propagate malware and attack vulnerable network devices. These assaults transmit the ShellBot and Moobot malware by exploiting flaws in two software tools: the Realtek Jungle SDK and the Cacti fault management monitoring tool.

The two vulnerabilities being targeted, CVE-2021-35394 and CVE-2022-46169, are deemed highly critical since they allow attackers to remotely execute code. CVE-2022-46169 is a bug that lets attackers to circumvent authentication and inject commands into Cacti servers, whilst CVE-2021-35394 is a vulnerability that allows arbitrary commands to be injected into the Realtek Jungle SDK. It is worth mentioning that other botnet software such as Fodcha, RedGoBot, Mirai, Gafgyt, and Mozi have already exploited these vulnerabilities.

According to a Fortinet FortiGuard Labs research, cyber attackers have been leveraging the flaws to disseminate ShellBot (also known as PerlBot) and MooBot malware. Although it has previously been used to disseminate Mirai, Gafgyt, Mozi, and RedGoBot, this is the first time it has been used to distribute MooBot, a Mirai version that has been active since 2019.

Moobot infects vulnerable hosts by exploiting CVE-2022-46169 and CVE-2021-35394. When Moobot infects a machine, it downloads a script with its setup and connects to the C2 server. After then, the virus transmits heartbeat messages until it receives a command, at which time it launches its attack. Moobot’s ability to scan for and terminate processes from other botnets allows it to optimize the hardware resources of the compromised host and execute DDoS assaults.

ShellBot, on the other hand, is primarily concerned with exploiting the Cacti vulnerability. Fortinet discovered three separate versions of ShellBot, indicating that it is actively being developed. The initial version connects to the C2 server and waits for orders to perform different operations such as port scanning, removing files and folders, transmitting version information, downloading a file, initiating UDP DDoS assaults, or injecting a reverse shell. The second version has a broader set of instructions, as well as a module for upgrading exploits that pulls data from public advisories and news from PacketStorm and milw0rm.

Fortinet’s report does not explicitly state if the same threat actors spread Moobot and ShellBot. Still, payloads were observed exploiting the same flaws in overlapping attack bursts. The recommended action to defend against Mootbot and ShellBot is to use strong administrator passwords and apply the security updates that fix the mentioned vulnerabilities. If your device is no longer supported by its vendor, it should be replaced with a newer model to receive security updates.

The sources for this piece include an article in BleepingComputer.

Summary