Condi Botnet Targets TP-Link Archer AX21 (AX1800) Wi-Fi Routers

Vulnerability Exploited

In May 2023, a new Condi botnet appeared, focused on DDoS attacks for hire. To build a botnet and carry out attacks, the malware uses vulnerabilities in TP-Link Archer AX21 (AX1800) Wi-Fi routers.
Fortinet experts report that the Condi malware targets the CVE-2023-1389 vulnerability associated with command injection without authentication. The bug allows remote code execution via the router management interface API.
This problem was discovered at the Pwn2Own hacker competition last December, and in March 2023, TP-Link developers released a firmware update to version 1.1.4 Build 20230219, where the bug was fixed. It is worth noting that the Mirai botnet had already exploited this vulnerability at the end of April.
AX1800 is a popular 1.8Gbps (2.4GHz and 5GHz) Linux-based Wi-Fi 6 router model, most commonly used by home users, small offices, shops, cafes and so on.

Aggressive Monetization

The researchers report notes that the attackers behind Condi not only rent out the power of their botnet, but also sell the source code of their malware, that is, they are engaged in very aggressive monetization, which will result in the emergence of numerous forks of malware with various functions.
Since the mentioned vulnerability is not only used by Condi, the malware has a mechanism that eliminates any processes belonging to competing botnets, and also stops its own old versions.
Since Condi does not have a system sticking mechanism and is not saved after a device reboot, its authors came up with the idea of ​​deleting the following files, which prevents devices from shutting down or restarting:
/usr/sbin/reboot
/usr/bin/reboot
/usr/sbin/shutdown
/usr/bin/shutdown
/usr/sbin/poweroff
/usr/bin/poweroff
/usr/sbin/halt
/usr/bin/halt

Infection Mechanism

In order to infect vulnerable routers, TP-Link malware scans public IP addresses with open ports 80 or 8080 and sends a hard code encrypted requests to download and execute a remote shell script that infects the device.
The researchers also mention that some Condi samples use not only CVE-2023-1389 to spread, but also other bugs, that is, it seems that hackers are experimenting with the infection mechanism.
In addition, analysts found samples that use a shell script with ADB (Android Debug Bridge), which means that malware also seems to spread through devices with an open ADB port (TCP/5555). It is assumed that this is a consequence of the fact that other hackers have already bought the Condi source code and adjusted it to their needs.
In May 2023, a new Condi botnet appeared, focused on DDoS attacks for hire. The malware exploits vulnerabilities in TP-Link Archer AX21 (AX1800) Wi-Fi routers, a popular 1.8Gbps (2.4GHz and 5GHz) Linux-based Wi-Fi 6 router model, most commonly used by home users, small offices, shops, cafes and so on. The Condi malware targets the CVE-2023-1389 vulnerability associated with command injection without authentication, which allows remote code execution via the router management interface API.
The vulnerability was discovered at the Pwn2Own hacker competition last December, and in March 2023, TP-Link developers released a firmware update to version 1.1.4 Build 20230219, where the bug was fixed. However, the Mirai botnet had already exploited this vulnerability at the end of April.
The researchers report notes that the attackers behind Condi not only rent out the power of their botnet, but also sell the source code of their malware, that is, they are engaged in very aggressive monetization, which will result in the emergence of numerous forks of malware with various functions. To prevent competing botnets from taking over the infected devices, the malware has a mechanism that eliminates any processes belonging to competing botnets, and also stops its own old versions.
In order to infect vulnerable routers, TP-Link malware scans public IP addresses with open ports 80 or 8080 and sends a hard code encrypted requests to download and execute a remote shell script that infects the device. Some Condi samples use not only CVE-2023-1389 to spread, but also other bugs, that is, it seems that hackers are experimenting with the infection mechanism. In addition, analysts found samples that use a shell script with ADB (Android Debug Bridge), which means that malware also seems to spread through devices with an open ADB port (TCP/5555).
Since Condi does not have a system sticking mechanism and is not saved after a device reboot, its authors came up with the idea of ​​deleting the following files, which prevents devices from shutting down or restarting: /usr/sbin/reboot, /usr/bin/reboot, /usr/sbin/shutdown, /usr/bin/shutdown, /usr/sbin/poweroff, /usr/bin/poweroff, /usr/sbin/halt, and /usr/bin/halt.
The emergence of the Condi botnet is a reminder of the importance of keeping devices up to date with the latest security patches. It is also important to note that the malware is being actively monetized, which means that its source code is being sold and adjusted to different needs. As such, it is important to be aware of the potential risks posed by the Condi botnet and take the necessary steps to protect devices from infection.