Dark Mirai botnet discovered abusing RCE flaws in TP-Link units

Dark Mirai Botnet RCE Remote Code Execution Vulnerability Abuse Flaw TP Link Router MANGA TL-WR840N

The Dark Mirai botnet threat operators, also known as MANGA botnet, have been found exploiting a newly discovered vulnerability in the TP-link product called ‘TL-WR840N EU V5’ that gives a threat actor remote code execution capability.

The TP-Link product is either a wired or a wireless network expansion unit. It is a product that aids every household or company distribute an internet connection via Wi-Fi or Lan cable.

According to experts, botnets, especially Dark Mirai, have been updating and upgrading their capabilities to keep attacking known vulnerabilities like those seen inside TP-Link. Dark Mirai was also found to abuse a bug tracked as CVE-2021-41653 that causes vulnerable owners to show variables to execute remotely commanded instructions on the device.

Although a researcher published an advisory regarding the vulnerability mentioned above, nobody has taken it seriously, and not everyone updated their system to patch the flaw. The said vulnerability was then abused by Dark Mirai botnet for about two weeks after TP-Link released a firmware update.


Researchers discovered that Dark Mirai botnet operators abuse the RCE flaw to force the TP-Link devices to download and initiate malicious code.


When activated, the malicious code is written as “tshit[.]sh” will download the primary binary payloads with two requests. However, the malicious threat actors will still be required for authentication to execute this abuse. Fortunately for them, the authentication will be easy to overcome if the targeted device has default credentials.

Like the standard botnet variant of Mirai, the MANGA version will identify the compromised machine’s infrastructure and downloads applicable payloads. Then, it hinders connections to most targeted ports to halt other botnets from infecting their seized device. The Dark Mirai botnet will wait for the following instructions from the command-and-control server to execute a DoS (Denial-of-Service) attack.

Fortunately, it is noted by the TP-Link’s group that the vulnerability was already fixed by them during the firmware update last November.
Therefore, outdated devices that are missing new system upgrades can be prone to botnets. That is why experts recommend that updating devices every week should be implemented, and changing default credentials is necessary to avoid intrusions.

About the author

Leave a Reply