IoT Devices Under Fire by FICORA and CAPSAICIN
Threat Group: Unattributed
Threat Type: IoT-Based Botnets
Exploited Vulnerabilities: D-Link HNAP Interface Flaws (CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, CVE-2024-33112)
Malware Used: Mirai Variant "FICORA", Kaiten Variant "CAPSAICIN"
Threat Score: High (8.7/10) – Due to the exploitation of widely deployed IoT devices and the potential for large-scale Distributed Denial of Service (DDoS) attacks.
Last Threat Observation: December 2024
Overview
In late 2024, cybersecurity researchers observed a significant increase in activity from two botnets: the Mirai variant "FICORA" and the Kaiten variant "CAPSAICIN." Both botnets exploit known vulnerabilities in D-Link devices, particularly through the Home Network Administration Protocol (HNAP) interface, enabling remote command execution. The specific vulnerabilities targeted include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
The "FICORA" botnet has been active across multiple countries, indicating a broad, non-targeted attack strategy. In contrast, the "CAPSAICIN" botnet exhibited a brief but intense period of activity on October 21–22, 2024, primarily focusing on East Asian nations. Both botnets are capable of launching DDoS attacks, with "FICORA" utilizing multiple protocols such as UDP, TCP, and DNS. The resurgence of these botnets underscores the persistent threat posed by outdated or unpatched IoT devices.
Key Details
- Delivery Method:
- Exploitation of vulnerabilities in D-Link devices via the HNAP interface.
- Use of downloader scripts to fetch malware targeting various Linux architectures.
- Target:
- IoT Devices: Specifically D-Link routers and similar network devices.
- Geographical Focus: "FICORA" targets globally; "CAPSAICIN" primarily targets East Asian countries.
- Functions:
- Distributed Denial-of-Service (DDoS) Attacks.
- Botnet Expansion through Network Propagation.
- Termination of Competing Botnet Processes.
- Data Exfiltration from Infected Devices.
- Malware Deployment and Payload Delivery.
- Obfuscation Techniques:
- Use of encrypted communications for Command and Control (C2) traffic.
- Removal of downloader scripts post-execution to evade detection.
- Dynamic IP allocation to avoid blacklisting.
Attack Vectors
Both "FICORA" and "CAPSAICIN" botnets exploit vulnerabilities in the HNAP interface of D-Link devices, allowing remote attackers to execute arbitrary commands. The "FICORA" botnet downloads and executes a shell script named "multi," which employs methods like "wget," "ftpget," "curl," and "tftp" to retrieve the malware. It terminates processes with the same file extension as "FICORA" before downloading and executing the malware across multiple Linux architectures. The malware's configuration, including its C2 server domain and a unique string, is encrypted using the ChaCha20 algorithm.
The "CAPSAICIN" botnet utilizes a downloader script ("bins.sh") to fetch the bot targeting various Linux architectures. The malware terminates known botnet processes to ensure it remains the sole botnet operating on the victim host. It then connects to its C2 server at 192.110.247[.]46, transmitting the victim's operating system information and a unique nickname back to the server. This variant appears to be linked to the Keksec group's botnets, likely developed from version 17.0.0 of their malware, based on hard-coded information found within it.
Known Indicators of Compromise (IoCs)
CVE
- CVE-2015-2051
- CVE-2019-10891
- CVE-2022-37056
- CVE-2024-33112
URLs
- hxxp://103[.]149[.]87[.]69/multi
- hxxp://103[.]149[.]87[.]69/la.bot.arc
- hxxp://103[.]149[.]87[.]69/la.bot.arm
- hxxp://103[.]149[.]87[.]69/la.bot.arm5
- hxxp://103[.]149[.]87[.]69/la.bot.arm6
- hxxp://103[.]149[.]87[.]69/la.bot.arm7
- hxxp://103[.]149[.]87[.]69/la.bot.m68k
- hxxp://103[.]149[.]87[.]69/la.bot.mips
- hxxp://103[.]149[.]87[.]69/la.bot.mipsel
- hxxp://103[.]149[.]87[.]69/la.bot.powerpc
- hxxp://103[.]149[.]87[.]69/la.bot.sh4
- hxxp://103[.]149[.]87[.]69/la.bot.sparc
- hxxp://87[.]11[.]174[.]141/bins.sh
- hxxp://pirati[.]abuser[.]eu/yakuza.yak.sh
- hxxp://pirati[.]abuser[.]eu/yakuza.arm5
- hxxp://pirati[.]abuser[.]eu/yakuza.arm6
- hxxp://pirati[.]abuser[.]eu/yakuza.arm7
- hxxp://pirati[.]abuser[.]eu/yakuza.i586
- hxxp://pirati[.]abuser[.]eu/yakuza.i686
- hxxp://pirati[.]abuser[.]eu/yakuza.m68k
- hxxp://pirati[.]abuser[.]eu/yakuza.mips
- hxxp://pirati[.]abuser[.]eu/yakuza.mipsel
- hxxp://pirati[.]abuser[.]eu/yakuza.ppc
- hxxp://pirati[.]abuser[.]eu/yakuza.sparc
- hxxp://pirati[.]abuser[.]eu/yakuza.x86
- hxxp://87[.]10[.]220[.]221/bins.sh
- hxxp://87[.]10[.]220[.]221/yakuza.sh
- hxxp://87[.]10[.]220[.]221/yakuza.arm4
- hxxp://87[.]10[.]220[.]221/yakuza.arm5
- hxxp://87[.]10[.]220[.]221/yakuza.arm6
- hxxp://87[.]10[.]220[.]221/yakuza.arm7
- hxxp://87[.]10[.]220[.]221/yakuza.i586
- hxxp://87[.]10[.]220[.]221/yakuza.i686
- hxxp://87[.]10[.]220[.]221/yakuza.m68k
- hxxp://87[.]10[.]220[.]221/yakuza.mips
- hxxp://87[.]10[.]220[.]221/yakuza.mipsel
- hxxp://87[.]10[.]220[.]221/yakuza.ppc
- hxxp://87[.]10[.]220[.]221/yakuza.sparc
- hxxp://87[.]10[.]220[.]221/yakuza.x86
Hosts/Domains
- ru[.]coziest[.]lol
- f[.]codingdrunk[.]cc
- www[.]codingdrunk[.]in
- eighteen[.]pirate
- nineteen[.]libre
- 75cents[.]libre
- 2joints[.]libre
- fortyfivehundred[.]dyn
- 21savage[.]dyn
- imaverygoodbadboy[.]libre
- le[.]codingdrunk[.]in
- pirati[.]abuser[.]eu
IP Addresses
- 103[.]149[.]87[.]69
- 87[.]11[.]174[.]141
- 87[.]10[.]220[.]221
- 45[.]86[.]86[.]60
- 194[.]110[.]247[.]46
File Hashes (SHA256)
- f71dc58cc969e79cb0fdfe5163fbb9ed4fee5e13cc9407a11d231601ee4c6e23
- ea83411bd7b6e5a7364f7b8b9018f0f17f7084aeb58a47736dd80c99cfeac7f1
- 48a04c7c33a787ef72f1a61aec9fad87d6bd9c49542f52af7e029ac83475f45d
- 18c92006951f93a77df14eca6430f32389080838d97c9e47364bf82f6c21a907
- 9b161a32d89f9b19d40cd4c21d436c1daf208b5d159ffe1df7ad5fd1a57610e5
- faeea9d5091384195e87caae9dd88010c9a2b3b2c88ae9cac8d79fd94f250e9f
- 10d7aedc963ea77302b967aad100d7dd90d95abcdb099c5a0a2df309c52c32b8
- 7f6912de8bef9ced5b9018401452278570b4264bb1e935292575f2c3a0616ec4
- a06fd0b8936f5b2370db5f7ec933d53bd8a1bf5042cdc5c052390d1ecc7c0e07
- 764a03bf28f9eec50a1bd994308e977a64201fbe5d41337bdcc942c74861bcd3
- df176fb8cfbc7512c77673f862e73833641ebb0d43213492c168f99302dcd5e3
- ac2df391ede03df27bcf238077d2dddcde24cd86f16202c5c51ecd31b7596a68
- ca3f6dce945ccad5a50ea01262b2d42171f893632fc5c5b8ce4499990e978e5b
- afee245b6f999f6b9d0dd997436df5f2abfb3c8d2a8811ff57e3c21637207d62
- ec508df7cb142a639b0c33f710d5e49c29a5a578521b6306bee28012aadde4a8
- 8349ba17f028b6a17aaa09cd17f1107409611a0734e06e6047ccc33e8ff669b0
- b3ad8409d82500e790e6599337abe4d6edf5bd4c6737f8357d19edd82c88b064
- ec87dc841af77ec2987f3e8ae316143218e9557e281ca13fb954536aa9f9caf1
- 784c9711eadceb7fedf022b7d7f00cff7a75d05c18ff726e257602e3a3ccccc1
- bde6ef047e0880ac7ef02e56eb87d5bc39116e98ef97a5b1960e9a55cea5082b
- c7be8d1b8948e1cb095d46376ced64367718ed2d9270c2fc99c7052a9d1ffed7
- 4600703535e35b464f0198a1fa95e3668a0c956ab68ce7b719c28031d69b86ff
- 6e3ef9404817e168c974000205b27723bc93abd7fbf0581c16bb5d2e1c5c6e4a
- 32e66b87f47245a892b102b7141d3845540b270c278e221f502807758a4e5dee
- 540c00e6c0b53332128b605b0d5e0926db0560a541bb13448d094764844763df
- b74dbd02b7ebb51700f3c5900283e46570fe497f9b415d25a029623118073519
- 148f6b990fc1f1903287cd5c20276664b332dd3ba8d58f2bf8c26334c93c3af5
- 464e2f1faab2a40db44f118f7c3d1f9b300297fe6ced83fabe87563fc82efe95
- b699cd64b9895cdcc325d7dd96c9eca623d3ec0247d20f39323547132c8fa63b
- 1007f5613a91a5d4170f28e24bfa704c8a63d95a2b4d033ff2bff7e2fe3dcffe
- 7a815d4ca3771de8a71cde2bdacf951bf48ea5854eb0a2af5db7d13ad51c44ab
- d6a2a22000d68d79caeae482d8cf092c2d84d55dccee05e179a961c72f77b1ba
- 7ab36a93f009058e60c8a45b900c1c7ae38c96005a43a39e45be9dc7af9d6da8
- 803abfe19cdc6c0c41acfeb210a2361cab96d5926b2c43e5eb3b589a6ed189ad
- 7b29053306f194ca75021952f97f894d8eae6d2e1d02939df37b62d3845bfdb7
- 59704cf55b9fa439d6f7a36821a50178e9d73ddc5407ff340460c054d7defc54
- aaa49b7b4f1e71623c42bc77bb7aa40534bcb7312da511b041799bf0e1a63ee7
- 1ca1d5a53c4379c3015c74af2b18c1d9285ac1a48d515f9b7827e4f900a61bde
Mitigation and Prevention
- User Awareness:
- Educate users about the risks associated with insecure IoT devices.
- Encourage changing default passwords to strong, unique credentials.
- Email Filtering:
- Implement filters to block phishing attempts aimed at obtaining IoT device administrative credentials.
- Antivirus Protection:
- Deploy security solutions compatible with IoT devices to detect and prevent malicious activities.
- Two-Factor Authentication (2FA):
- Enable 2FA for administrative access to IoT devices to enhance security.
- Monitor Logs:
- Regularly inspect network logs for unusual traffic patterns or connections to suspicious C2 domains.
- Regular Updates:
- Apply firmware updates and patches to all IoT devices to mitigate vulnerabilities.
Risk Assessment
FICORA and CAPSAICIN botnets present a high level of risk due to their global proliferation and exploitation of widely used IoT devices. The vulnerabilities they target are longstanding but continue to pose threats due to poor patching practices in many organizations. The ability of these botnets to conduct DDoS attacks, propagate across networks, and disable competing malware increases their destructive potential.
For enterprises, the risks are magnified if IoT devices are connected to critical infrastructure or corporate networks. The potential downtime, data breaches, and costs associated with remediation make these botnets a significant threat.
Conclusion
Organizations must take proactive measures to mitigate the risks posed by IoT botnets like FICORA and CAPSAICIN. This includes implementing strong security practices, such as regular firmware updates, isolating IoT devices on separate VLANs, and monitoring network traffic for anomalies. By addressing these vulnerabilities and ensuring comprehensive patch management, enterprises can significantly reduce their attack surface and prevent the deployment of malware through outdated IoT devices.
The continued prevalence of these botnets highlights the importance of maintaining vigilance and adopting a defense-in-depth strategy. Organizations should treat IoT security as a critical component of their overall cybersecurity framework.