Cyberium Domain Targets Tenda Routers in Botnet Campaign

Governance & Risk Management
IT Risk Management
Next-Generation Technologies & Secure Development

AT&T Alien Labs: Hackers Used Mirai Variant MooBot

Cyberium Domain Targets Tenda Routers in Botnet Campaign

Malware hosting domain Cyberium has spread Mirai variants, including one that targeted vulnerable Tenda routers, as part of a botnet campaign, AT&T Alien Labs reports.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

Since March, AT&T Alien Labs, which offers an open threat intelligence community, has detected a spike in active exploitation attempts on Tenda routers by MooBot, a Mirai variant that has been active since 2019. The latest campaign is targeting Tenda users by exploiting users who have not patched a remote code vulnerability in the router, tracked as CVE-2020-10987.

“At the end of March, AT&T Alien Labs observed a spike in exploitation attempts for Tenda Remote Code Execution vulnerability,” says Fernando Martinez, a security researcher at AT&T Alien Labs team. “This spike was observed throughout a significant number of clients, in the space of a few hours. This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November.”

MooBot Campaign

The Tenda router scanning activities only lasted a day, according AT&T Alien Labs. The malicious botnet traffic originated from a single Cyberium malware hosting domain, researchers say.

The first request to victims’ machines from this hosting page was to download a malicious script, which…