Ballista Botnet: A Cyber Threat Exploiting TP-Link Archer Routers

Cybersecurity researchers have uncovered another botnet campaign dubbed Ballista, which has been targeting unpatched TP-Link Archer routers. The campaign, first detected on January 10, 2025, takes advantage of a known vulnerability (CVE-2023-1389) to infiltrate devices and spread across the internet. Unlike other botnets that have previously exploited this flaw, Ballista appears to be under active development, posing a significant concern for users and organizations worldwide.

What is the Ballista Botnet?

Ballista is a malicious software campaign designed to compromise vulnerable TP-Link Archer AX-21 routers. It exploits CVE-2023-1389, a high-severity security flaw that allows for command injection and, ultimately, remote code execution (RCE). Once a router is compromised, Ballista installs itself, establishes an encrypted command-and-control (C2) channel, and follows a structured attack sequence to achieve its goals.

The botnet spreads by executing a malware dropper, identified as "dropbpb.sh," which fetches and runs the main payload on infected devices. This malware can operate across various system architectures, including mips, mipsel, armv5l, armv7l, and x86_64. Once inside, the botnet executes commands, performs denial-of-service (DoS) attacks, and even deletes traces of its own presence to avoid detection.

What Does Ballista Aim to Achieve?

The primary goal of Ballista appears to be gaining control over compromised devices for various malicious purposes. Some of the key functionalities include:

• Executing Shell Commands: The malware allows attackers to run Linux shell commands remotely, giving them extensive control over the infected router.
• Denial-of-Service (DoS) Attacks: Using a command known as "flooder," Ballista can initiate flood attacks, disrupting network operations.
• Spreading to Other Routers: The malware can exploit the same vulnerability on other unpatched routers, significantly increasing its reach.
• Data Access and Exfiltration: It attempts to read sensitive files from the compromised system, potentially exposing confidential information.
• Self-Preservation and Evolution: Ballista is designed to remove previous versions of itself, ensuring only the latest iteration is active. Additionally, recent updates indicate that the botnet has shifted from hardcoded IP addresses to using TOR network domains, making it more difficult to track and mitigate.

What Are the Implications?

Ballista's emergence highlights ongoing security challenges for internet-connected devices, particularly consumer-grade routers that are often left unpatched. The botnet's reach is extensive, with over 6,000 targeted devices spread across Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. It has also been linked to attacks on businesses in the manufacturing, healthcare, services, and technology sectors across the United States, Australia, China, and Mexico.

The implications of this botnet go beyond individual router infections. Since compromised devices can be leveraged for large-scale cyberattacks, Ballista has the potential to contribute to global cyber threats, including:

• Increased Botnet-Fueled Attacks: With a growing number of infected devices, attackers could use Ballista for coordinated DoS attacks, crippling targeted services.
• Data Breaches and Espionage: Access to sensitive files could lead to unauthorized data exfiltration, putting both individuals and organizations at risk.
• Supply Chain Vulnerabilities: Businesses relying on compromised routers could unknowingly become part of larger cybercriminal campaigns.
• Difficulty in Tracking and Neutralizing: The botnet's transition to using TOR network domains makes it harder to pinpoint the attackers and shut down their operations.

How to Protect Against Ballista?

Given the severity of the threat, users must take proactive steps to secure their routers:

1. Update Router Firmware: Ensure the TP-Link Archer AX-21 firmware is updated to the latest version, as manufacturers routinely release patches to fix security vulnerabilities.
2. Disable Remote Management: If not needed, turn off remote access features to prevent unauthorized connections.
3. Use Strong Credentials: Avoid default login credentials and use complex passwords for router administration.
4. Monitor Network Traffic: Unusual activity, such as spikes in outbound traffic, could indicate infection.
5. Factory Reset and Reconfigure: If a device is suspected to be compromised, performing a factory reset and setting it up from scratch may help remove the malware.
6. Implement Firewall Rules: Restrict unnecessary access to administrative ports and block suspicious IP addresses.

The Road Ahead

Ballista is not the first botnet to exploit router vulnerabilities, and it certainly won't be the last. The presence of Italian language strings in the malware binaries suggests a possible origin, but with its evolving nature, the true operators remain unknown. The botnet's shift towards anonymized networks indicates that it is actively being refined, making mitigation efforts more challenging.

While Ballista remains distinct from other botnets like Mirai and Mozi, its ability to self-propagate and execute powerful attacks makes it a noteworthy development in the cybersecurity landscape. As more details emerge, staying informed and taking necessary precautions will be key in preventing widespread damage.

By prioritizing security updates and following best practices, users can reduce the risk of Ballista and similar threats. The fight against botnets is ongoing, but awareness and timely action can significantly limit their impact.