ESET cybersecurity experts: It’s a banking trojan that has already targeted users from Poland, impersonating Bolt Food. Goal: to steal banking-cryptocurrency credentials.
Fortinet: Hikvision products have been actively targeted by Moobot. The threat actors leverage the critical vulnerability CVE-2021-36260 to install and run the malware, a Mirai botnet variant
The Hikvision IP Network Video Recorder (NVR) products are still being actively targeted by cybercrime via the Mirai-based DDoS botnet Moobot. This, thanks to a critical vulnerability: CVE-2021-36260. It has been discovered by the Fortinet cybersecurity experts. CVE-2021-36260 results from insufficient input validation, allowing unauthenticated users to inject a downloader into a <language> tag to trigger a command injection attack on a Hikvision product. The malicious code then installs the main botnet: Moobot. It downloads the malware with “/arm5” URI form server 199.195.250[.]233:80 and prints “RAY” if the downloading process was successful. Moreover, Moobot has some elements from Satori, another Mirai variant botnet.