The big picture: The TP-Link Archer AX21 (AX1800) Wi-Fi router is once again being targeted by cyber-criminals trying to build an army of bots with DDoS capabilities. But Condi isn't just another malicious network as its creators are clearly trying to turn the malware into a real (albeit illegal) business.
Security enterprise FortiGuard Labs recently found samples of a "DDoS-as-a-service" botnet that calls itself Condi, a threat designed to spread via insecure TP-Link Archer AX21 (AX1800) routers. AX1800 is a Linux-based device which was recently found to be vulnerable to CVE-2023-1389, a high-severity flaw that could be exploited to remotely execute malicious code through the API of the router's web-based interface.
The CVE-2023-1389 vulnerability was discovered in March, and it has been actively exploited by cyber-criminals to abuse vulnerable TP-Link AX1800 routers and build botnets like Mirai. Condi, however, shows its own remarkable capabilities. The new botnet can be hired to launch DDoS attacks against internet servers and websites, but the gang behind this malicious operation is exploring other "business" opportunities as well.
Interested parties can also purchase both standard and "private" source code of the Condi botnet, a pretty aggressive monetization tactic which will likely lead to a proliferation of custom Condi specimens in the coming weeks and months.
The "standard" (binary) edition of the Condi botnet contains a scanning component which search the internet (on ports 80 or 8080) for vulnerable TP-Link routers, then sends a hard-coded exploitation code that downloads and execute a remote shell script to infect a vulnerable device. Like Mirai, Condi isn't equipped with persistence mechanisms to stay "alive" between reboots, so after infection the malware tries to prevent restarts or shutdown by erasing Linux files used in reboot operations and stored under the /usr/sbin/ and /usr/bin/ directories.
Condi is also programmed to "seek and destroy" competing malicious processes running in memory, thanks to a string-based processID scanner. According to FortiGuard, this mechanism is flawed and doesn't work as intended. The researchers have also found new samples with different capabilities and features, which is likely the direct result of competing criminals purchasing the Condi source code and adapting it to their own needs.
Condi clearly is yet another dangerous threat against TP-Link networking devices, but affected users and organizations really have no excuses here. The Chinese company fixed the CVE-2023-1389 vulnerability in March, and updated firmware versions can be download from TP-Link's own download center.