Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities

Affected platforms: Windows, Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical

FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. (Figure 1 shows trigger counts from our IPS signatures of the CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) vulnerabilities.)

ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. Moobot is a Mirai variant botnet that targets exposed networking devices. We discovered that it had attacked Hikvision products in 2021. Compromised endpoints can be controlled by its C&C server and deliver further attacks, such as distributed denial-of-service attacks.

This article will examine the payloads of these two attacks and their resulting malware behavior.