Threat Research

MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability

By Joie Salvio | December 08, 2021

Last week, our FortiGuard Labs team encountered a malware sample that’s currently being distributed in the wild targeting TP-link wireless routers. It leverages a recently post-authenticated RCE vulnerability released barely two weeks prior.

As it turns out, it is an updated variant of the MANGA campaign (also known as Dark) that distributes samples based on Mirai’s published source code. This Mirai-based Distributed Denial of Service (DDOS) botnet campaign is one that FortiGuard Labs has been actively monitoring. The campaign originally piqued our interest due to the continuous updating of its list of target vulnerabilities—more so than other campaigns we have seen so far.

TP-Link has already released an updated firmware for this affected hardware version  and users are strongly encouraged to update their devices.

This post details how this threat leverages the new vulnerability to take over the affected devices and ways to protect users from these attacks.

Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical

Exploiting a New Vulnerability

This Mirai-based botnet campaign is referred to as MANGA because of the token string it used to include in its SSH/telnet commands. It is also referred to as Dark due to the filenames used for its binaries (e.g., Dark.arm, dark.mips, etc.). 

By exploiting recently published vulnerabilities, this malware campaign capitalizes on the gap between the time of disclosure of a vulnerability and the application of a patch to compromise IoT devices. This gives it a higher potential of spreading, making it more prolific than similar botnets. The latest addition to its constantly growing list of targeted vulnerabilities is TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model.

The vulnerability it targets, assigned CVE-2021-41653, was only just discovered on November 12 of this year. And barely two weeks later, on November 22, a sample from the MANGA malware campaign was seen actively exploiting it in the wild.

Kamilló Matek discusses the full details of this vulnerability in this article. In summary, a vulnerable host parameter allows authenticated users to execute arbitrary commands in the target device. 

In this case, it is being exploited to force vulnerable devices to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads, as discussed in the next section.

To accomplish this, the following requests are sent to the device:

Request 1:

Request 2:

It is important to emphasize that this exploitation requires authentication to succeed. Therefore, it is crucial for users to change their default credentials.

Same Package

As with Mirai’s normal infection routine, the executed shell script downloads the main payload binaries for different architectures and platforms and executes them blindly in the victim’s system. In addition, it prevents other botnets from taking over the device by blocking connections to commonly targeted ports.

Figure 1 - tshit.sh downloads the main payload and blocks connections

The malware then waits for a command from its Command-and-Control (C2) server to perform different variations of a Denial-Of-Service (DOS) attack.

Figure 2 Functions related to DDOS attacks

Solution

Fortinet customers are protected by the following:

  • The following generic FortiGuard IPS signatures were able to detect this attack before this vulnerability was disclosed:
    • TP-Link.HTTP.Management.Code.Execution
    • TP-Link.Home.Wifi.Router.CGI.Referer.Command.Injection
  • The FortiGuard Web Filtering Service blocks downloaded URLs and identified C2s.
  • The FortiGuard AntiVirus service detects and blocks this threat as Linux/Mirai and ELF/Mirai

Conclusion

Through our active monitoring, we encountered a new variant of the Mirai-based botnet campaign referred to as MANGA or Dark. It targets a recently published TP-Link wireless router RCE vulnerability. 

Throughout its life, this ongoing campaign has been very active in targeting newly discovered vulnerabilities. In fact, right before this blog was published, our monitoring system encountered yet another updated variant that we are currently investigating.

FortiGuard Labs will continue monitoring this campaign and provide updates as necessary.

IOCs

Download URLs

http[:]//194.85.248.176/bins/eh.x86
http[:]//194.85.248.176/bins/eh.mips
http[:]//194.85.248.176/bins/eh.mpsl
http[:]//194.85.248.176/bins/eh.arm4
http[:]//194.85.248.176/bins/eh.arm5
http[:]//194.85.248.176/bins/eh.arm6
http[:]//194.85.248.176/bins/eh.arm7
http[:]//194.85.248.176/bins/eh.ppc
http[:]//194.85.248.176/bins/eh.m68k
http[:]//194.85.248.176/bins/eh.sh4
http[:]//194.85.248.176/bins/eh.86_64
http[:]//194.85.248.176/local.sh
http[:]//194.85.248.176/tshit.sh
http[:]//2.56.59.215/apache2.sh
http[:]//212.192.241.72/lolol.sh

Samples (SHA256)

ebfc95372427f8b845daff9ff4aebe2451fa78e35a24edd084685f06ba3daee4
57f50f34e6df8ee9006e46b5fe5c4ee11febe9e33b087c809f1384563e9f1d4e
8ebef715ddb0b4e973b2f8c7529f4480b5caa9c4a25f8fd05a7eaacf036cca20
113be1f9db8af2469b82ce1b5d1b0c61c50586567b3898f2b8a614cd6e8f47a8
b4c3c79d148db638f891143a1910c3d17f973c512a719b1f7525a823b14d29a8
d3928d0b6dedce6a083123028e50ba76e1b29666e70a96eec1a7061b7303bf1a
6b463e9f5d9e8edbc235bceb854367b26ed6effb0dee9881a4f4e88a967318d5
d88052c0a76cac7e571870a4e87c5354594c26b4955cd934870dc12d48f129d5
265396023cbbad6b3480b851873ece9fa2f32c63739a7a0ac32d196843080cc8
83566400bdb09c5e2438c0d9ff723c88328ca93f29e648f97088342e239bfa09
af9ac01e9e8cf7064d590044df43adca566521d223662cf5e0e2500badff6998
de01f26209a085eeff8c217782d283640a6226ccf1bd27eefd696658b55d10ba
a4b16a5bf9b6e662050a3c5ff157d7b2f0be301a1f8f5d1359170132b8b22e58
7a47e5b83e3c42df2ab72adf4a041b2e382f61a0ff378f593156353a78c2c702
1bd895ed050ce42d0f39b6baa0b6a454e05eb5bff72290857cb8fb77a9e4b4b9
71ca57bbba49aa877f7ded340328342c6e82e3a99720734c8b0de150d44d906c
23b03aa7d1dadd2e71016702f3e1b278b3a2c4f0c7d0cdc272774a428b88d09c
fb7b03e7619d3ac5c4cbadc6b38841b11e3b19214b776073a590b571f91fe51e
3c978e02d21c7c12631d56c41aceb305fc11348a53eed47e29f7ce62ea0da4df
4832cff5666433a784d6ba48a0e400367d25314ef15d08a216b6286226eff342
95e4ac3ae03646cda56d80df80d775ed4bf23f98be42274fb440e7bc0d03ce88
8d390ad5af8d70692bda123b96e9745816ec7893d84682adb6d243619538b9d3
66adea50e0de8e1d664bb18c9f80596d1443b90e9ba57a59425720886a0c97e0
a87b502575d0db1b6257f1cf75edf4894bc84598f79148525b5cc449d143a495

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.