FortiGuard Labs observed a spike in the activity of two different botnets - Ficora and Capsaicin - in October and November 2024. These botnets typically spread through vulnerabilities in D-Link devices, allowing attackers to execute malicious commands remotely.

Impact Level

• Affected Devices:

  • D-Link DIR-645 RevAx wired/wireless routers with firmware 1.04b12 and earlier

  • D-Link DIR-806 devices. D-Link GO-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02

  • D-Link DIR-845L routers v1.01KRb03 and earlier

• Related CVEs:

  • CVE-2015-2051

  • CVE-2019-10891

  • CVE-2022-37056

  • CVE-2024-33112

• Affected Users: Any organization

• Impact Level: Attackers can gain control of remote systems

• Severity: High

When a device is successfully exploited, attackers leverage weaknesses in the D-Link management interface (HNAP) to execute malicious commands through GetDeviceSettings.

The botnets can steal data and execute shell scripts. The attackers' goal seems to be using the devices for distributed denial-of-service (DDoS) attacks.

The Ficora botnet primarily targets the Japanese and U.S. markets. Meanwhile, Capsaicin appears to mainly target devices in East Asian countries and has increased its activity for two days, starting from October 21.

Figure 1. IPS attack metrics

Ficora Botnet

Ficora is a newer variant of the Mirai botnet, designed to exploit specific vulnerabilities in D-Link devices.

Figure 2. Ficora botnet activity range

After gaining initial access to D-Link devices, Ficora uses a shell script named 'multi' to download and execute its payload through various methods such as wget, curl, ftpget, and tftp, then deletes itself from the victim's system.

Figure 3. Malicious command exploiting a D-Link vulnerability to download “FICORA” malware

This malware uses brute-force methods with predefined username and password lists to infect multiple Linux-based devices, supporting various hardware architectures.

Figure 4. Predefined username list

Figure 5. Predefined password list

Regarding DDoS attack capabilities, it supports UDP flooding, TCP flooding, and DNS amplification, diversifying attack methods to counter defense systems.

Capsaicin Botnet

Capsaicin is a variant of the Kaiten botnet and is believed to be malware developed by the Keksec group, known for the “EnemyBot” malware and many other malware families targeting Linux devices. Fortinet discovered Capsaicin in a series of attacks from October 21 to 22, primarily targeting East Asian countries.

The infection occurs through a download script (“bins.sh”), which downloads binary files prefixed with 'yakuza' for different hardware architectures, including arm, mips, sparc, and x86.

Figure 6. Malicious command exploiting a D-Link vulnerability to download “CAPSAICIN” malware

Additionally, this malware actively searches for other botnets operating on the same server and disables them.

Besides DDoS capabilities similar to Ficora, Capsaicin can also collect server information and transmit it to a command and control (C2) server for monitoring.

Figure 7. List of commands for C2 execution

Figure 8. List of commands for DDoS execution

List of IOCs related to FICORA and CAPSAICIN malware

URLs

FICORA

CAPSAICIN

Hosts

Files

Downloader

FICORA

CAPSAICIN

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this campaign:

• Update device firmware: Ensure that routers and IoT devices are always running the latest firmware version to patch known security vulnerabilities.

• Replace old devices: If a device has reached the end of its life cycle and no longer receives security updates, replace it with a new model.

• Change default passwords: Use strong and unique admin passwords, and disable remote access interfaces if not necessary.

References

• Malware botnets exploit outdated D-Link routers in recent attacks

• Botnets Continue to Target Aging D-Link Vulnerabilities