Related Families: Mirai
Executive Summary
Condi is a DDoS as a service botnet based on Mirai. It has been observed leveraging CVE-2023-1389 to propagate.
Key Takeaways
- Condi is a DDoS as a service botnet based on Mirai.
- Condi has been observed leveraging CVE-2023-1389, a command injection vulnerability affecting TP-Link Archer AX21 (AX1800) routers, to spread.
- Condi uses multiple techniques to maintain persistence and to prevent infections from rival botnets, attempting to terminate their processes
What is Condi?
Fortinet recently reported on Condi, a DDoS as a service botnet. Condi has been observed leveraging CVE-2023-1389 to spread. CVE-2023-1389 is a command injection vulnerability affecting TP-Link Archer AX21 (AX1800) routers. Condi has been extremely active since late May 2023. Fortinet discovered Condi operating a DDoS as a service botnet, with the Condi Network Telegram channel advertising its services. The Telegram channel was created in May 2022.
Condi is based on the Mirai botnet. In order to propagate, Condi embeds a single scanner based on Mirai’s original Telnet scanner and scans for public IPs with open ports 80 or 8080. It then sends a hardcoded request to download and execute a remote shell script, which infects devices that are vulnerable to CVE-2023-1389 with Condi. Condi has been observed using other exploits in addition to CVE-2023-1389.
Condi uses multiple techniques to maintain persistence and to prevent infections from rival botnets attempting to terminate their processes. It also appears to remove outdated versions of itself. However, Condi cannot survive a system shutdown or reboot. For this reason, it deletes multiple binaries used to shut down or reboot the system.
IOCs
PolySwarm has multiple samples of Condi.
291e6383284d38f958fb90d56780536b03bcc321f1177713d3834495f64a3144
593e75b5809591469dbf57a7f76f93cb256471d89267c3800f855cabefe49315
091d1aca4fcd399102610265a57f5a6016f06b1947f86382a2bf2a668912554f
5e841db73f5faefe97e38c131433689cb2df6f024466081f26c07c4901fdf612
ccda8a68a412eb1bc468e82dda12eb9a7c9d186fabf0bbdc3f24cd0fb20458cc
4e3fa5fa2dcc6328c71fed84c9d18dfdbd34f8688c6bee1526fd22ee1d749e5a
f7fb5f3dc06aebcb56f7a9550b005c2c4fc6b2e2a50430d64389914f882d67cf
449ad6e25b703b85fb0849a234cbb62770653e6518cf1584a94a52cca31b1190
509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084
e7a4aae413d4742d9c0e25066997153b844789a1409fd0aecce8cc6868729a15
cbff9c7b5eea051188cfd0c47bd7f5fe51983fba0b237f400522f22ab91d2772
f5968ced46e935dbe5f5e82dc635dc85090b3edf17e399edd40474a69ce5be8e
You can use the following CLI command to search for all Condi samples in our portal:
$ polyswarm link list -f Condi
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports