Dark Mirai Botnet Description
Despite the Mirai botnet being shut down years ago, its legacy continues to live on. After the release of the botnet's source code, many cybercriminals used it as a basis to create their own versions of the malware. One of the offshoots of Mirai that is still active is tracked by the infosec community as the Dark Mirai (aka MANGA). And according to the researchers at Fortinet who are monitoring the activities of this botnet, its operators are continuing to equip it with new vulnerabilities to exploit.
One of the latest to be added to the Dark Mirai impacts a line of popular TP-Link home routers. More specifically, the affected model is TL-WR840N EU V5 released in 2017. The particular vulnerability - CVE-2021-41653 allows an authenticated user to execute commands on the device due to a vulnerable 'host' variable. It should be noted that TP-Link addressed the issue with the release of a firmware update on November 12, 2021, so the Dark Mirai hackers are banking on users not updating their devices and remaining vulnerable.
Upon discovering a suitable device, the attackers will exploit the CVE-2021-41653 vulnerability to download and then execute a script named 'tshit.sh.' This script is then responsible for fetching the main payloads via two requests. Due to the fact that the attackers need to be authenticated, users who are still using the default credentials for their router are the ones most likely to be compromised.
When deployed, the Dark Mirai will identify the infected router's architecture and then proceed to fetch an appropriate payload. The threat will then isolate the device from potential infiltration from other competing botnets by shutting down several commonly targeted ports. The Dark Mirai will then stay dormant, waiting for commands from its Command-and-Control (C&C) server.