Moobot botnet spreads via Hikvision camera vulnerability


A Mirai-based botnet called “Moobot” is aggressively propagating by exploiting a critical command injection flaw in the web server of many Hikvision products.

Hikvision is a state-owned Chinese manufacturer of cameras and surveillance equipment that the US government has sanctioned for human rights violations.

This vulnerability is identified as CVE-2021-36260 and can be exploited remotely by sending specially crafted messages containing malicious commands.

Hikvision fixed the flaw in September 2021 with a firmware update (v 210628), but not all users rushed to apply the security update.

Fortinet reports that Moobot exploits this flaw to compromise unpatched devices and extract sensitive data from victims.

The infectious process

Exploiting the vulnerability is fairly straightforward, given that it does not require authentication and can be triggered by sending a message to a publicly exposed vulnerable device.

Request to exploit the flaw
Request to exploit the flaw
Source: Fortinet

Among the various payloads that exploit CVE-2021-36260, Fortinet has found a downloader hidden as “macHelper”, which retrieves and runs Moobot with the “hikivision” parameter.

The malware also modifies basic commands such as “reboot” so that they do not work properly and will prevent the administrator from restarting the compromised device.

A new version of Mirai

Fortinet analysts spotted some commonalities between Moobot and Mirai, such as the data string used in the Random Alphanumeric String Generator function.

In addition, Moobot presents some elements of Satori, a different variant of Mirai whose author was arrested and sentenced in the summer of 2020.

Similarities to Satori include:

  • Using a separate downloader.
  • The fork of the “/ usr / sbin *” process.
  • Overwrite the legitimate “macHelper” file with the Moobot executable.

It’s critical to stress that this isn’t the first time Moobot has been spotted in the wild, as Unit 42 researchers first discovered it in February 2021.

However, the fact that the botnet is always adding new CVEs indicates that it is being actively developed and enriched with new targeting potential.

Enlist in a DDoS army

Moobot’s goal is to integrate the compromised device into a DDoS swarm.

The C2 sends a SYN flood command with the target IP address and the port number to attack.

Moobot's attack flow
Moobot’s attack flow
Source: Fortinet

Other commands that the C2 server can send include 0x06 for the UDP stream, 0x04 for the ACK stream, and 0x05 for the ACK + PUSH stream.

By examining the captured packet data, Fortinet was able to track down a Telegram channel that began offering DDoS services last August.

Enrolling your device in DDoS swarms leads to increased power consumption, accelerated wear and tear, and causes the device to become unresponsive.

The best way to protect your IoT devices from botnets is to apply available security updates as soon as possible, isolate them in a dedicated network, and replace default credentials with strong passwords.


Comments are closed.