Between January and March 2023, multiple malware botnets have been actively targeting vulnerabilities in Cacti and Realtek and spreading ShellBot and Moobot malware.
These campaigns are significant, with the malware targeting exposed network devices to enlist them in DDoS swarms. Both botnets exploit CVE-2021-35394, a critical remote code execution vulnerability in Realtek Jungle SDK, and CVE-2022-46169, a critical command injection flaw in the Cacti fault management monitoring tool, which have also been targeted by other botnet malware in the past.
Moobot is a variant of Mirai that was first discovered in December 2021, targeting Hikvision cameras.
It has been updated to target multiple D-Link RCE flaws and currently infects vulnerable hosts by targeting CVE-2021-35394 and CVE-2022-46169, after which it downloads a script containing its configuration and establishes a connection with the C2 server.
Additionally, Moobot is capable of scanning for and killing processes of other known bots, enabling it to launch DDoS attacks.
ShellBot primarily targets the Cacti flaw and was first detected in January 2023.
Furthermore, Fortinet has captured three malware variants of ShellBot, indicating that it is actively being developed. The first variant waits for one of several specific commands to initiate an attack, while the second variant, which already counts hundreds of victims, features a much more extensive set of commands, including an exploit enhancement module that aggregates news and public advisories from PacketStorm and milw0rm.
To defend against Moobot and ShellBot, it is recommended to use strong administrator passwords and apply security updates that fix the vulnerabilities being exploited.
If a device is no longer supported by its vendor, it should be replaced with a newer model to receive security updates.
