Since the beginning of this year, cybercriminals have been targeting Cacti and Realtek vulnerabilities on exploitable Windows and Linux servers. In two different attacks, threat actors infected victims with ShellBot (aka PerlBot) and Moobot botnet malware. The overlapping attack techniques indicate that the same attackers are behind both attacks.
Attacks deploying Moobot
According to Fortinet researchers, Moobot—a variant of Mirai—targets an arbitrary command injection vulnerability (CVE-2021-35394) in Realtek Jungle SDK and a command injection vulnerability (CVE-2022-46169) in Cacti.
Attackers gain control of the vulnerable systems to download a script containing malware configuration and establish a connection with the C2 server.
Moobot continuously communicates with the C2 server using heartbeat messages and, subsequently, it initiates the attack.
The latest Moobot variant scans for other known bots and kills their processes to harvest the maximum hardware power of the infected host to launch DDoS attacks.
ShellBot infection chain
Attackers have been primarily targeting the Cacti flaw to deploy ShellBot’s three new malware variants - PowerBots (C) GohacK, LiGhT's Modded perlbot v2, and B0tchZ 0.2a.
The first variant establishes a connection with the C2 servers and awaits commands to perform malicious activities.
The second variant features a much more extensive set of commands and includes numerous types of flooding attacks, an exploit enhancement module, and hacking functions. It became active this month and has already amassed hundreds of victims.
The third variant contains a configuration with multiple commands to perform malicious activities and target vulnerable Cacti servers.
Wrapping up
Besides ShellBot and Moobot, several other attackers too leveraged the same bugs to deploy other botnet malware including Fodcha, Gafgyt, Mirai, Mozi, and RedGoBot. While the impacted vendors immediately released software updates to resolve the issue, many organizations continue to use vulnerable devices. Organizations are advised to update Cacti and Realtek to patched versions as soon as possible.