{"id":17987,"date":"2022-02-02T10:18:14","date_gmt":"2022-02-02T18:18:14","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11720\/"},"modified":"2022-02-02T10:18:14","modified_gmt":"2022-02-02T18:18:14","slug":"news-11720","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11720\/","title":{"rendered":"MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
<\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Threat\u00a0Research Report<\/b><\/p>\n

Affected Platforms:<\/b>\u00a0Linux
Impacted Users:<\/b>\u00a0 \u00a0 \u00a0 Any organization
Impact:<\/b>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Remote attackers gain control of the vulnerable systems
Severity Level:<\/b>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Critical<\/p>\n


<\/u>Last week, our FortiGuard Labs team encountered a malware sample that\u2019s currently being distributed in the wild targeting TP-link wireless routers. It leverages a recently post-authenticated RCE vulnerability\u00a0released barely two weeks prior.<\/p>\n

As it turns out, it is an updated variant of the MANGA campaign (also known as Dark) that distributes samples based on Mirai\u2019s published source code. This Mirai-based Distributed Denial of Service (DDOS) botnet campaign is one that FortiGuard Labs has been\u00a0actively monitoring<\/a>. The campaign originally piqued our interest due to the continuous updating of its list of target vulnerabilities\u2014more so than other campaigns we have seen so far.<\/p>\n

TP-Link has already released an\u00a0updated firmware<\/a>\u00a0for this affected hardware version\u00a0\u00a0and users are strongly encouraged to update their devices.<\/p>\n

This post details how this threat leverages the new vulnerability to take over the affected devices and ways to protect users from these attacks.<\/p>\n

Exploiting a New Vulnerability<\/h2>\n

This Mirai-based botnet campaign is referred to as MANGA because of the token string it used to include in its SSH\/telnet commands. It is also referred to as Dark due to the filenames used for its binaries (e.g., Dark.arm, dark.mips, etc.).\u00a0<\/p>\n

By exploiting recently published vulnerabilities, this malware campaign capitalizes on the gap between the time of disclosure of a vulnerability and the application of a patch to compromise IoT devices. This gives it a higher potential of spreading, making it more prolific than similar botnets. The latest addition to its constantly growing list of targeted vulnerabilities is TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model.<\/p>\n

The vulnerability it targets, assigned\u00a0CVE-2021-41653<\/a>, was only just discovered on November 12 of this year. And barely two weeks later, on November 22, a sample from the MANGA malware campaign was seen actively exploiting it in the wild.<\/p>\n

Kamill\u00f3 Matek discusses the full details of this vulnerability in this\u00a0article<\/a>. In summary, a vulnerable\u00a0host\u00a0<\/i>parameter allows authenticated users to execute arbitrary commands in the target device.\u00a0<\/p>\n

In this case, it is being exploited to force vulnerable devices to download and execute a malicious script,\u00a0tshit.sh<\/i>, which then downloads the main binary payloads, as discussed in the next section.<\/p>\n

To accomplish this, the following requests are sent to the device:<\/p>\n

Request 1:<\/u> <\/p>\n<\/p><\/div>\n