Security News > 2021 > June > Moobot Milks Tenda Router Bugs for Propagation
A variant of the Mirai botnet called Moobot saw a big spike in activity recently, with researchers picking up widespread scanning in their telemetry for a known vulnerability in Tenda routers.
According to AT&T Alien Labs, the scanning for vulnerable Tenda routers piqued researcher interest given that such activity is typically rare.
Following the breadcrumbs of the activity, researchers tracked down the infrastructure behind the Tenda scans in late March - discovering that it was being used to scan for additional bugs, in the Axis SSI, Huawei home routers and the Realtek SDK Miniigd.
While active, the campaign would cycle between different Mirai variants: The same URL could be hosting Satori one day and Moobot the week after, according to AT&T. "The actors appear to come back to the same domain with a new subdomain for each new campaign," researchers explained.
One of the main distinctions of Moobot is a hardcoded string that's used several times throughout the code, including generating the process name to be used during execution, according to AT&T. "The number of samples Alien Labs has seen with that string has greatly increased in the last months, scattering from the original Moobot sample," AT&T noted.
In a new wrinkle, the observed Moobot samples were encrypted.