Mirai-Based DDoS Botnet Known as Beastmode Continues to Expand


Over the previous two months, the Mirai-based DDoS botnet known as Beastmode has added at least five additional exploits to its arsenal.

Three of the new exploits target TOTOLINK routers, one targets the D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers, and one targets the TP-Link Tapo C200 IP camera.

Fortinet’s FortiGuard Labs researchers discovered the new Beastmode exploits (dubbed B3eastmode after text in the code and an HTTP User-Agent header ‘b3astmode’ within the exploit requests).

“Even though the original Mirai author was arrested in fall 2018, this… highlights how threat actors, such as those behind the Beastmode campaign, continue to quickly incorporate newly published exploit code to infect unpatched devices with the Mirai malware,” the researchers write. An inaccuracy discovered in a sample taken on February 20, 2022, was quickly repaired in samples taken just three days later.

The botnet’s authors added the TOTOLINK exploits just a week after the exploit codes were made public on GitHub, emphasising the importance of using any available workarounds as soon as a vulnerability is publicised, as well as rapid patching as soon as patches become available. TOTOLINK has updated its firmware, which is available for download from the company’s website.

D-Link routers that are currently vulnerable to CVE-2021-45382 can’t be upgraded because they’ve been phased out.

CVE-2021-4045 is used to target the TP-Link Tapo C200 IP camera, which the researchers haven’t observed in any previous Mirai-based attack. For the time being, the exploit has been implemented incorrectly and does not operate. “Device users should still update their camera firmware to correct this issue,” the researchers suggest, citing indications of continued development.

Although the flaws affect different devices, they all have the same effect: they allow the attacker to insert commands that download shell scripts via the wget command and infect the device with Beastmode. The shell scripts differ depending on which devices have been infected and which exploit has been used.

Beastmode devices can be utilised in a variety of DDoS assaults once infected.

Infecting home-use devices is a good strategy to expand botnets since they are less well-protected than commercial devices, and users don’t always change or manage passwords or firmware updates. Slower than expected internet and hotter than expected devices are possible symptoms of botnet infection. If a user suspects that he or she is infected, powering down the device to clear memory, restarting, and changing the password is recommended.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.