Moobot and Shellbot exploit Realtek and Cacti vulnerabilities

Fortinet specialists have identified two harmful botnets, Shellbot and Moobot, which are currently targeting vulnerabilities in Cacti and Realtek. According to a report by Fortinet, both botnets are using critical vulnerabilities, CVE-2021-35394 and CVE-2022-46169, to attack open network devices and turn them into botnets for distributed denial-of-service (DDOS) attacks.

These vulnerabilities have been previously exploited by other malware such as Fodcha, Redgobot, Mirai, Gafgyt and Mozi. Moobot, a variant of Mirai, was first discovered in December 2021 and was initially aimed at Hikvision cameras. However, in September 2022, it was modified to target routers D-Link. Currently, Moobot is exploiting vulnerabilities CVE-2021-35394 and CVE-2022-46169 to infect vulnerable hosts and connect with C2-server to receive commands.

One notable feature of the new Moobot versions is their ability to scan and destroy processes of other well-known botnets to launch highly effective DDOS attacks. Meanwhile, Shellbot was first discovered in January 2023 and is mainly focused on Cacti vulnerability (CVE-2022-46169). Fortinet researchers captured three different variations of Shellbot, which indicates that the malware is actively being developed. It is capable of initiating DDOS attacks, port scanning, downloading additional payloads, deleting files and folders from infected computers and more.

To make sure devices are protected against both botnets, Fortinet recommends using reliable administrator passwords and installing the latest updates. In case any device is no longer supported by the manufacturer, it should be replaced with a newer model. Fortinet’s report emphasized that the scale of harmful activity in 2023 is significant and warns that open network devices are being actively targeted by botnets.

/Reports, release notes, official announcements.