Ballista Botnet

By Mezo in Botnets

Translate To:

A new botnet campaign dubbed Ballista has been identified, explicitly targeting unpatched TP-Link Archer routers. Cybersecurity researchers have found that the botnet takes advantage of a Remote Code Execution (RCE) vulnerability—CVE-2023-1389—to propagate across the Internet. This high-severity flaw affects TP-Link Archer AX-21 routers, allowing attackers to execute commands remotely and take control of the device.

Table of Contents

A Timeline of Exploitation

Evidence of active exploitation dates back to April 2023, when unknown threat actors first used the vulnerability to distribute Mirai botnet malware. Since then, it has been leveraged to spread other malware strains, including Condi and AndroxGh0st, further increasing its reach and impact.

How the Attack Works

The attack sequence begins with a malware dropper—a shell script named 'dropbpb.sh'—which downloads and executes a malicious binary on targeted routers. The malware is designed to run on multiple system architectures, including MIPS, mipsel, armv5l, armv7l and x86_64. Once installed, it establishes an encrypted Command-and-Control (C2) channel on port 82, allowing attackers to remotely control the infected device.

Capabilities of the Ballista Botnet

Once inside a system, Ballista enables attackers to execute a range of commands, including:

Flooder – Launches a flood-based denial-of-service (DoS) attack.
Exploiter – Exploits CVE-2023-1389 to infect additional routers.
Start – Initiates the exploiter module.
Close – Stops the exploit module.
Shell – Executes Linux shell commands on the infected system.
Killall – Terminates the running malware service.

Additionally, the malware can erase traces of its own presence and spread autonomously by seeking out and exploiting vulnerable devices.

Signs of an Italian Connection

An analysis of Ballista's infrastructure reveals an Italian link. The malware binaries contain Italian language strings, and the initial C2 server was hosted at 2.237.57.70, an Italian IP address. However, the malware appears to be under continuous development, as newer versions now use TOR network domains instead of hardcoded IP addresses.

Global Impact: Thousands of Routers at Risk

A targeted search suggests that over 6,000 devices have already been affected by Ballista. The most vulnerable regions include Brazil, Poland, the United Kingdom, Bulgaria and Turkey. Given its active evolution, this botnet remains a significant threat to unpatched routers worldwide.

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Ballista Botnet

A Timeline of Exploitation

How the Attack Works

Capabilities of the Ballista Botnet

Signs of an Italian Connection

Global Impact: Thousands of Routers at Risk

Submit Comment

Trending

Almoristics App

Safe Web Alliance

Live-virus-scanner7.com

Most Viewed

Discord Is Stuck on Gray Screen

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen