A new Mirai-based botnet malware dubbed ‘ShadowV2’ was recently observed using exploits for known vulnerabilities to target various IoT devices, including those from D-Link and TP-Link. The activity was noted during a major AWS outage, suggesting the brief deployment may have been a test run for the malware.
A newly discovered Mirai-based botnet variant, named ‘ShadowV2’, was recently spotted by researchers at Fortinet’s FortiGuard Labs. This malware focuses its attacks on Internet of Things (IoT) devices from multiple vendors, notably D-Link and TP-Link, by leveraging exploits for at least eight known security vulnerabilities. The botnet’s activity was observed briefly during a significant AWS outage in October, although the two events are not directly connected. The short duration of the botnet’s operation strongly suggests that this deployment may have been a limited-scope test run by its operators.
The ShadowV2 botnet demonstrated its spreading capability by exploiting a variety of vulnerabilities across different IoT products. These included flaws in DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375). Of particular note is CVE-2024-10914, a command injection flaw already known to be exploited and affecting End-of-Life (EoL) D-Link devices, for which the vendor has stated no patch will be issued.
Further investigation into the D-Link vulnerabilities revealed that for CVE-2024-10915, which was detailed in a November 2024 report, the company confirmed that the affected EoL models would not receive a fix. Consequently, D-Link updated an older security bulletin and published a new one specifically referencing the ShadowV2 campaign. The company used this opportunity to explicitly warn users that EoL or end-of-support devices are no longer under development and will not be receiving any further firmware updates, shifting the responsibility onto users to replace vulnerable hardware. Meanwhile, the CVE-2024-53375 flaw affecting TP-Link, also detailed in November 2024, was reportedly addressed through a beta firmware update.
According to the FortiGuard Labs analysis, the ShadowV2 attacks originated from the IP address 198[.]199[.]72[.]27. The campaign indiscriminately targeted a wide array of devices, including routers, NAS devices, and DVRs, across an extensive range of sectors. These sectors included government, technology, manufacturing, managed security service providers (MSSPs), telecommunications, and education. The botnet’s reach was global, with observed attacks spanning North and South America, Europe, Africa, Asia, and Australia, highlighting a significant threat footprint.
The malware identifies itself in its code as “ShadowV2 Build v1.0.0 IoT version” and exhibits similarities to the Mirai LZRD variant, based on the technical report provided by the researchers. The infection process begins with an initial access stage where a downloader script (binary.sh) is executed on the vulnerable device. This script then fetches the final malicious binary from a server hosted at the IP address 81[.]88[.]18[.]108, establishing the foothold for the botnet on the compromised IoT device.
Reference:
