Dark Mirai Botnet Targets TP-LINK TL-24840N Routers
The Dark Mirai Botnet is one of the many variations of the Mirai Botnet, which has been a threat to IoT devices for the past five years. While the original project has been dead for a long time, the publicly available source code continues to be used by malware operators. The Dark Mirai Botnet is just one of many projects doing this.
This botnet specializes in distributed-denial-of-service (DDoS) attacks, and it has recently added a new exploit to its collection of attack techniques. This particular vulnerability affects a TP-LINK router, which was released in 2017 – the TL-WR840N EU V5. The vulnerability is already patched in the latest firmware update for the hardware but, unfortunately, many users are still running an outdated version.
The vulnerability, classified as CVE-2021-41653, allows remote code execution for authenticated users. The criminals are using it to run a bash script, which would download the final payload. In addition to this, the script makes modifications to the router's configuration in order to block specific ports, therefore preventing other botnets from infecting it. It is important to add that the Dark Mirai Botnet can only take over devices that are using the default login credentials – this vulnerability is unusable without administrator credentials.
Once the implant is running, the criminals can control it remotely, commanding it to execute a DDoS attack. It appears that the Dark Mirai Botnet has no other use, and the criminals are using it exclusively to take services and websites offline. Protecting your devices from the Dark Mirai Botnet and similar threats can be done by using the latest available firmware, and choosing a secure password for all accounts with escalated privileges.