Unleashed Chaos: The Condi Malware Takes Control of TP-Link Wi-Fi Routers for Devastating DDoS Botnet Assaults

A newly discovered malware, Condi, has emerged as a significant threat, leveraging a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers. Its primary objective is to harness these compromised devices, assembling them into a powerful Distributed Denial-of-Service (DDoS) botnet. Researchers have noted a sharp rise in the campaign's intensity since the conclusion of May 2023.

Who's Behind Condi?

The mastermind behind Condi is an individual known by the online moniker zxcr9999, who actively promotes his illicit activities through the Telegram channel Condi Network. Beginning in May 2022, the threat actor has monetized his botnet by offering DDoS-as-a-service and even selling the malware's source code. Security researchers have thoroughly analyzed the malware, uncovering its ability to eliminate competing botnets on the same host. However, Condi lacks a persistence mechanism, rendering it unable to survive a system reboot.

To overcome the limitation of persistence after a system reboot, Condi takes action by deleting multiple binaries responsible for shutting down or rebooting the system. These binaries include /usr/sbin/reboot, /usr/bin/reboot, /usr/sbin/shutdown, /usr/bin/shutdown, /usr/sbin/poweroff, /usr/bin/poweroff, /usr/sbin/halt, and /usr/bin/halt. It's worth noting that the Mirai botnet previously exploited the targeted vulnerability.

Contrary to other widespread malware, Condi utilizes a scanner module to identify TP-Link Archer AX21 routers vulnerable to CVE-2023-1389 (CVSS score: 8.8). Instead of employing brute-force attacks like some botnets, Condi executes a shell script obtained from a remote server to deposit the malware on the identified devices.

According to security analysts, multiple instances of Condi have come up, exploiting various known security vulnerabilities to propagate. That indicates that devices running unpatched software are particularly susceptible to being targeted by this botnet malware. Aside from its aggressive monetization tactics, Condi's primary objective is to compromise devices and establish a formidable DDoS botnet. This botnet can then be rented out to other threat actors, enabling them to launch TCP and UDP flood attacks on targeted websites and services.

Neutralizing botnets is paramount in maintaining a secure and stable digital ecosystem. Botnets, such as the Condi malware, can exploit vulnerabilities in unpatched software and harness a network of compromised devices for harmful activities, such as DDoS attacks. These attacks disrupt online services and significantly threaten the integrity and availability of critical infrastructure. Individuals, organizations, and security professionals must remain vigilant, keep software up to date, and employ robust security measures to detect and mitigate botnet threats. By actively neutralizing botnets, we can safeguard our digital environments and contribute to a safer online landscape for all users.