FortiGuard Labs has discovered Condi, a new DDoS botnet that is targeting vulnerable TP-Link Archer AX21 (AX1800) routers. The botnet takes use of a flaw in the routers’ web-based interface, allowing attackers to remotely execute malicious malware.
Tagged CVE-2023-1389, a high-severity bug, it was discovered in these Linux-based devices. When routers get infected, they join the botnet and may be used to perform DDoS attacks against websites and other internet services. The botnet can also detect and remove other malicious programs that are running on compromised routers.
Condi is offering the option to buy the source code for two versions of its botnet: “standard” and “private.” The standard version scans the internet for vulnerable TP-Link routers and infects them with a remote shell script. However, Condi cannot stay active after a reboot, so it deletes certain Linux files related to rebooting. It also has a processID scanner to remove other malicious processes, but this feature has been found to have flaws and doesn’t work properly, according to FortiGuard researchers.
TP-Link has released a firmware update that addresses the vulnerability.
The sources for this piece include an article in TechSpot.