Ethical Hacking News
A new botnet has emerged that is exploiting a remote code execution (RCE) vulnerability in TP-Link Archer routers, targeting over 6,000 devices worldwide. The Ballista botnet uses this vulnerability to spread automatically, injecting malicious payloads and establishing encrypted C2 channels on port 82. With the potential for DoS/DDoS attacks and significant consequences for organizations and individuals, it is essential to take immediate action to patch devices and protect against this threat.
The Ballista botnet is exploiting a remote code execution (RCE) vulnerability in TP-Link Archer routers, tracked as CVE-2023-1389.The vulnerability lies in the locale API of the web management interface of the TP-Link Archer AX21 router, allowing a remote attacker to inject commands that should be executed on the device.The botnet has been targeting over 6,000 devices worldwide since early 2025, using a remote code execution (RCE) flaw to spread automatically.The malware executes a cleartext shell dropper named dropbpb.sh, which downloads and executes malicious binaries, establishes an encrypted C2 channel on port 82, and can execute remote shell commands or launch DoS/DDoS attacks.It is essential for individuals and organizations to prioritize software updates, implement robust security measures, and remain vigilant in the face of evolving threats.
The cybersecurity landscape continues to evolve, with new threats emerging on a daily basis. One such threat that has recently come to light is the spread of the Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability in TP-Link Archer routers. This vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), resides in the locale API of the web management interface of the TP-Link Archer AX21 router.
The root cause of this problem lies in the lack of input sanitization in the locale API that manages the router's language settings. This allows a remote attacker to trigger the issue, injecting commands that should be executed on the device. In other words, an individual with access to the internet can potentially take control of a TP-Link Archer router by exploiting this vulnerability.
The vulnerability was first reported during the Pwn2Own Toronto 2022 event, where Team Viettel and Qrious Security respectively demonstrated working exploits for LAN and WAN interface accesses. Since early 2025, Cato CTRL has tracked the Ballista botnet targeting TP-Link Archer routers via CVE-2023-1389, using a remote code execution (RCE) flaw to spread automatically.
The researchers first detected the botnet on January 10, but it quickly evolved by using Tor domains for stealth. The most recent attack attempt occurred on February 17. This evolution in tactics highlights the dynamic nature of modern cyber threats, where attackers constantly seek new ways to evade detection and expand their reach.
The Cato report provides a detailed breakdown of how the Ballista botnet exploits this vulnerability. It begins by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh, responsible for downloading malware binaries and executing them on the compromised device. This dropper grants full permissions, allowing it to execute as a background process.
Once executed, the dropper deletes itself from disk and moves to other directories to download and run the malware. The process includes persistence, system exploration, and anti-detection techniques to maintain control over infected devices. Furthermore, the malware kills previous instances, deletes itself to evade detection, reads system configuration files, and establishes an encrypted C2 channel on port 82.
This C2 channel enables the malware to spread by exploiting CVE-2023-1389 and can execute remote shell commands or launch DoS/DDoS attacks when instructed by the C2 server. The researchers also note that the payload is hosted on an attacker-controlled server (2.237.57[.]70) via HTTP on port 81.
In addition to this, the malware persists across reboots, uses fileless malware to evade detection, and employs anti-detection techniques such as code obfuscation and anti-debugging to maintain control over infected devices. This persistence allows the malware to remain active even after a system is rebooted or restored from a backup.
The researchers have also observed that the Ballista botnet can be used to launch DoS/DDoS attacks, which can have significant consequences for organizations and individuals alike. These types of attacks can disrupt critical infrastructure, compromise online services, and damage reputations.
The spread of the Ballista botnet highlights the importance of keeping software up-to-date, particularly for devices that are not regularly monitored or patched. This includes TP-Link Archer routers, which may be vulnerable to exploitation if left unpatched.
In response to this threat, security experts recommend that individuals and organizations take immediate action to patch their devices and protect against this vulnerability. This can include applying patches and updates, configuring device settings to limit access, and implementing additional security measures such as firewalls and intrusion detection systems.
Furthermore, it is essential to remain vigilant and monitor for signs of botnet activity, particularly in the context of compromised devices or suspicious network traffic. Early detection and response are critical to mitigating the impact of a botnet attack and minimizing damage.
In conclusion, the spread of the Ballista botnet highlights the complex web of exploitation and malware that exists in modern cybersecurity threats. It is crucial for individuals and organizations to prioritize software updates, implement robust security measures, and remain vigilant in the face of evolving threats.
A new botnet has emerged that is exploiting a remote code execution (RCE) vulnerability in TP-Link Archer routers, targeting over 6,000 devices worldwide. The Ballista botnet uses this vulnerability to spread automatically, injecting malicious payloads and establishing encrypted C2 channels on port 82. With the potential for DoS/DDoS attacks and significant consequences for organizations and individuals, it is essential to take immediate action to patch devices and protect against this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Ballista-Botnet-Spreads-Using-TP-Link-Flaw-A-Complex-Web-of-Exploitation-and-Malware-ehn.shtml
Published: Wed Mar 12 18:42:13 2025 by llama3.2 3B Q4_K_M
