Condi

It also comes equipped with the ability to update itself with a newer version and act as a web server to spread the infection to other devices that connect to it.

It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389... sends a hardcoded exploitation request to download and execute a remote shell script... if it is a vulnerable TP-Link Archer AX21 device.

sends a hardcoded exploitation request... to download and execute a remote shell script at hxxp://cdn2[.]duc3k[.]com/t... The remote shell script is typical of Mirai-based loaders that try to download and execute binaries of each architecture in turn

The execFormatCmd() function calls tp_SystemEx() to execute "iwconfig %s essid %s" with the injected content... This final function executes the resulting command using execve("/bin/sh")

The attacks work by sending malicious HTTP GET requests to the /userRpm/WlanNetworkRpm endpoint. The requests carry commands embedded in the ssid parameter, which the router’s firmware processes without filtering harmful input.

This HTTP server masquerades as a legitimate Apache HTTP server by responding with the “Server: Apache” header when any URLs are requested.

Because of this, it deletes the following binaries used to shut down or reboot the system.

Because of this, it deletes the following binaries used to shut down or reboot the system. /usr/sbin/reboot /usr/bin/reboot /usr/sbin/shutdown /usr/bin/shutdown /usr/sbin/poweroff ...

The next command executes chmod 777 on the arm7 binary to grant the file read, write and execute permissions.

it embeds a simple scanner modified from Mirai’s original Telnet scanner to scan for any public IPs with open ports 80 or 8080... We found source code for an older version of Condi that scans for devices with an open Android Debug Bridge port (TCP/5555)

It also reads the /proc/<PID>/status for each running process and compares the Name field... It also generates a random string... and attempts to kill any process with this string in its command line

Because of this, it deletes the following binaries used to shut down or reboot the system...

The arm7 binary also starts an HTTP server on the infected device using a port randomly chosen between 1024 and 65535. Once active, this server delivers fresh malware copies to other devices that connect to it, spreading the infection further without requiring any additional input from the attacker.

It also comes equipped with the ability to update itself with a newer version and act as a web server to spread the infection to other devices that connect to it.

The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.

Once it receives the command used to start the webserver, this malware downloads bot binaries... After that, it starts a basic HTTP server on a random port number above 1024 to host these binaries.

The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.

this malware downloads bot binaries from a hardcoded IP and port. After that, it starts a basic HTTP server on a random port number above 1024 to host these binaries.

The data is stored in the buffer var_868 from the fd_serv function, which is the command-and-control (C2) server socket... After receiving data, the arm7 binary checks for specific byte patterns

it also prevents infections from other botnets by attempting to terminate their processes... kills any processes with matching names... kills any processes with binary filenames containing the following extensions commonly used by other botnets

Below is this sample's list of attack functions... attack_tcp_syn... attack_tcp_ack... attack_tcp_socket... attack_tcp_thread... attack_tcp_bypass... attack_udp_plain... attack_udp_thread... attack_udp_smart

Finally, it generates two numbers... and kills any processes with a command line length matching either number. Killing off random processes based on their command line length is likely to wreak havoc and prevent the infected device from functioning correctly

this malware employs several techniques to keep itself running... it also prevents infections from other botnets by attempting to terminate their processes.