Security experts have located and analyzed a malwarecalled Condicapable of exploiting some routers to carry out DDoS attacks (Distributed Denial-of-Service).
The devices in question, apparently, exploit a vulnerability identified in router Wi-Fi TP-Link Archer AX21 (AX1800), through which it connects these devices to a botnet. As stated by Fortinet FortiGuard Labsthis type of threat saw a surge in attacks towards the end of May.
Condi was made by a hacker known on Telegramwhere it manages a channel, such as zxcr9999. Joy Salvio e Roy Taytwo security researchers, stated how “The Telegram channel was opened in May 2022 and the threat actor monetized his botnet by providing DDoS-as-a-service and selling the malware source code“.
An analysis of Condi revealed her ability to interrupt others botnet competitors acting on the same host. Despite this, the malevolent agent also demonstrated potential weaknesses.
Condi malware endangers some TP-Link routers
In fact, restarting the system seems to put the malicious agent in trouble. From this point of view, however, zxcr999 seems to have looked for solutions. The malware, in fact, deletes more binary file used in the context of shutdowns or restarts.
Condi, unlike some botnets that propagate themselves via brute-force attacks, leverages a modulo scanner which checks for vulnerable TP-Link Archer AX21 devices and if so, runs one script shell retrieved from a remote server to deposit the malware.
The malicious agent apparently aims to trap devices to create a powerful DDoS botnet that can be leased by third parties to orchestrate targeted attacks on specific websites.
For this purpose, the aforementioned Telegram channel becomes an excellent promotion channel for zxcr999 and for its “creation”. In this regard, however, it is easy to imagine how the router manufacturer, one of the most popular in the entire sector, will soon find adequate countermeasures.