Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Researchers at Fortinet have warned of a new variant of the Gafgyt botnet, dubbed C0XMO. The malware targets routers with DD-WRT firmware, but researchers have also identified versions for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures.
According to experts, the main feature of C0XMO is its modular architecture, which allows malware operators to update vulnerability exploitation mechanisms, add support for new architectures, and expand the malware’s capabilities without modifying its primary payload.
Like other members of the Gafgyt family, the new botnet is designed to conduct DDoS attacks. The malware’s arsenal includes 19 different methods, including UDP, TCP, SYN, and ICMP flooding, NTP and Memcached amplification attacks, and various techniques targeting Discord and Valve’s gaming services. According to experts, this botnet was recently used in attacks against an unspecified Japanese technology company.
To infect routers, the malware exploits an old vulnerability, specifically CVE-2021-27137, present in the DD-WRT firmware. This bug allows for the exploitation of a buffer overflow due to improper user input handling, enabling the execution of arbitrary code without authentication.
If a device is successfully compromised, C0XMO downloads a Python script that installs additional libraries necessary for network scanning and functioning via SSH and Telnet. The malware then begins searching for new victims, scanning the internet and checking common ports (including 22, 23, 80, 443, 7547, 8080, 8443, and 8888).
If a suitable target is found, C0XMO attempts to force SSH or Telnet credentials, determines the architecture, and downloads the corresponding binary. Researchers observe that the script implements about twenty functions to detect and exploit various bugs, determine the architecture, and verify node availability.
To infiltrate the system, the malware copies itself into hidden directories (such as /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys), then creates cron processes that restart the process every 15 minutes. Additionally, the malware modifies shell startup scripts to execute them automatically after each system reboot.
Another feature of C0XMO is its ability to counter competition. After infecting a device, the malware analyzes the list of running processes, searching for clients of other botnets, penetration testing tools, and services that could interfere with its operation. All found processes are terminated, and their binary files and persistence mechanisms are destroyed.
The malware then connects to the command and control server using a predefined address and multi-factor authentication mechanism, after which it enters command and control mode. C0XMO operators can launch new scans, control infected systems, and conduct DDoS attacks using any available method.
Fortinet notes that, compared to previous IoT botnets, C0XMO’s architecture appears more mature and sophisticated, distinguishing it from other members of the Gafgyt family.
