Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

A number of botnets are pummeling a nearly year-old command-injection vulnerability in TP-Link routers to compromise the devices for IoT-driven distributed denial of service (DDoS) attacks.
There already is a patch for the flaw, tracked as
CVE-2023-1389
, found in the Web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices Version 1.1.4 Build 20230219 or prior.
However, threat actors are taking advantage of unpatched devices to dispatch various botnets — include Moobot, Miori, AGoent, a
Gafgyt variant
, and variants of the infamous Mirai botnet — that can compromise the devices for DDoS and further nefarious activity, according to
a blog post
from Fortiguard Labs Threat Research.
Recently, we observed multiple attacks focusing on this year-old vulnerability, which already was previously exploited by the in
Mirai botnet
, according to the post by Fortiguard researchers Cara Lin and Vincent Li. Fortiguards IPS telemetry has detected significant traffic peaks, which alerted the researchers to the malicious activity, they said.
The flaw creates a scenario in which there is no sanitization of the Country field of the routers management interface, so an attacker can exploit it for malicious activities and gain foothold, according to TP-Links
security advisory
for the flaw.
This is an unauthenticated command-injection vulnerability in the locale API available via the web management interface, Lin and Li explained.
To exploit it, users can query the specified form country and conduct a write operation, which is handled by the set_country function, the researchers explained. That function calls the merge_config_by_country function and concatenates the argument of the specified form country into a command string. This string is then executed by the popen function.
Since the country field wont be emptied, the attacker can achieve command injection, the researchers wrote.
TP-Links advisory when the flaw was revealed last year included acknowledgement of exploitation by the Mirai botnet. But since then other botnets as well as various Mirai variants also have taken siege against vulnerable devices.
One is Agoent, a Golang-based agent bot that attacks by first fetching the script file exec.sh from an attacker-controlled website, which then retrieves the Executable and Linkable Format (ELF) files of different Linux-based architectures.
The bot then executes two primary behaviors: the first is to create the host username and password using random characters, and the second is to establish connection with command and control (C2) to pass on the credentials just created by the malware for device takeover, the researchers said.
A botnet that creates denial of service (DoS) in Linux architectures called the Gafgyt variant also is attacking the TP-Link flaw by downloading and executing a script file and then retrieving Linux architecture execution files with the prefix filename rebirth. The botnet then gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message, the researchers explained.
After establishing a connection with its C2 server, the malware receives a continuous PING command from the server to ensure persistence on the compromised target, the researchers wrote. It then waits for various C2 commands to create DoS attacks.
The botnet called Moobot also is attacking the flaw to conduct DDoS attacks on remote IPs via a command from the attackers C2 server, the researchers said. While the botnet targets various IoT hardware architectures, Fortiguard researchers analyzed the botnets execution file designed for the x86_64 architecture to determine its exploitation activity, they said.
A
variant of Mirai
also is conducting DDoS attacks in its exploitation of the flaw by sending a packet from the C&C server to direct the endpoint to initiate the attack, the researchers noted.
The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victims IP address and the port number 30129, they explained.
Miori, another Mirai variant, also has joined the fray to conduct brute-force attacks on compromised devices, the researchers noted. And they also observed attacks by Condi that remains consistent with a version of the botnet that was active last year.
The attack retains the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system, and scans active processes and cross-references with predefined strings to terminate processes with matching names, the researchers said.
Botnet attacks that exploit device flaws to target IoT environments are relentless, and thus users should be vigilant against DDoS botnets, the researchers noted. Indeed, IoT adversaries are advancing their attacks by
pouncing on unpatched device flaws
to further their sophisticated attack agendas.
Attacks against TP-Link devices can be mitigated by applying the available patch for affected devices, and this practice should be followed for any other IoT devices to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors, the researchers wrote.
Fortiguard also included in its post various indicators of compromise (IoCs) for the different botnet attacks, including C2 servers, URLs, and files that can help server administrators identify an attack.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks