Multiple malware botnets actively target Cacti and Realtek vulnerabilities in campaigns detected between January and March 2023, spreading ShellBot and Moobot malware.
The targeted flaws are CVE-2021-35394, a critical remote code execution vulnerability in Realtek Jungle SDK, and CVE-2022-46169, a critical command injection flaw in the Cacti fault management monitoring tool.
Both flaws have been exploited by other botnet malware in the past, including Fodcha, RedGoBot, Mirai, Gafgyt, and Mozi.
Fortinet reports that the volume of the malicious activity in 2023 is significant, targeting exposed network devices to enlist them in DDoS (distributed denial of service) swarms.
While Fortinet’s report does not explicitly state if the same threat actors spread Moobot and ShellBot, payloads were observed exploiting the same flaws in overlapping attack bursts.
Moobot infections
Moobot, a variant of Mirai, was first discovered in December 2021, targeting Hikvision cameras. In September 2022, it was updated to target multiple D-Link RCE flaws.
Currently, it targets CVE-2021-35394 and CVE-2022-46169 to infect vulnerable hosts, then downloads a script containing its configuration and establishes a connection with the C2 server.
Moobot continues to exchange heartbeat messages until it recognizes an incoming command, which is when it initiates its attack.
A notable feature of new Moobot versions is their ability to scan for and kill processes of other known bots so that they can harvest the maximum hardware power of the infected host to launch DDoS attacks.
ShellBot attacks
ShellBot was first spotted in January 2023 and continues to be active today, primarily targeting the Cacti flaw. Fortinet captured three malware variants, indicating that it is being actively developed.
The first variant establishes communication with the C2 and awaits the reception of one of the following commands:
- ps – perform a port scan on the specified target and port
- nmap – perform a Nmap port scan on a specified port range
- rm – delete files and folders
- version – send version information
- down – download a file
- udp – initiate UDP DDoS attack
- back – inject reverse shell
The second variant of ShellBot, which first appeared in March 2023 and already counts hundreds of victims, features a much more extensive set of commands, as shown below:
Interestingly, the malware features an exploit enhancement module that aggregates news and public advisories from PacketStorm and milw0rm.
The recommended action to defend against Mootbot and ShellBot is to use strong administrator passwords and apply the security updates that fix the mentioned vulnerabilities.
If your device is no longer supported by its vendor, it should be replaced with a newer model to receive security updates.