New Mirai Botnet Variant Detection: MooBot Sample Targets D-Link Routers

Novel Moobot

Security researchers are raising the alarm on a new Mirai botnet variant dubbed MooBot that targets D-Link devices. The novel threat employs multiple exploitation techniques. 

MooBot first surfaced in 2019, hijacking LILIN digital video recorders and Hikvision video surveillance products and co-opting them into a family of denial-of-service bots.

Detect MooBot 

To detect the signature ID of the MooBot sample within your system, use the following Sigma rule provided by the top-tier SOC Prime Threat Bounty developer Nattatorn Chuensangarun:

Palo Alto Networks Signature Detection for Mirai Botnet(MooBot) Targeting D-Link Devices

The detection rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Lateral Movement tactic represented by the Exploitation of Remote Services (T1210) technique.

Our SOC content library aggregates over 200K detection and response algorithms mapped directly to CVE and MITRE ATT&CK® frameworks so you can withstand the notorious cyber-attacks at the earliest stages of intrusion. Get instant access by clicking the Explore Detections button.

Explore Detections  

MooBot Analysis

The findings come from Palo Alto Networks Unit 42, who say that threat actors leverage the following D-Link vulnerabilities of high and critical severity: CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958. If adversaries succeed with their exploit attempts, they can remotely execute malicious code and fetch MooBot payload to compromise Linux-operated networking devices. Once the attacker establishes full control over the device – the sky is the limit when it comes to their malicious plans. With high probability, adversaries go on to launch vicious DDoS attacks.

The Mirai-based botnet called Moobot may cause a critical security impact; the severe consequences of these attacks urge the users of vulnerable devices to patch the flaws as fast as possible.

The uptick in numbers and severity of cyber attacks worldwide creates an expanded attack surface, putting at risk more individuals and businesses each day. To gear your company up with the best security practices, register for the SOC Prime Platform.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts