C0XMO botnet spreads through flaw in DD-WRT routers and kills rival malware

A brand new variant of the Gafgyt botnet, known as C0XMO, targets DD-WRT router firmware and will migrate to different machine sorts with totally different CPU architectures.

Researchers found samples for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and different architectures that includes exploits for DVRs, routers, video administration platforms, and Android-based gadgets.

The botnet was believed to be concentrating on Japanese expertise firms, however researchers found that the supply IP deal with belonged to a tool situated in Germany.

Fortinet researchers found C0XMO and highlighted its modular design. This enables operators to replace their exploitation methods, add/take away goal architectures, and lengthen lateral motion capabilities independently of the primary payload.

Primarily, C0XMO remains to be malware that launches distributed denial of service (DDoS) assaults, supporting 19 methods together with UDP/TCP/SYN/ICMP floods, “ping of dying,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.

In keeping with researchers, the C0XMO botnet malware is distributed by exploiting CVE-2021-27137, a buffer overflow vulnerability brought on by lacking consumer enter. It might be exploited with out authentication resulting in arbitrary code execution.

gaffit scanner

For wider distribution, C0XMO downloads a Python script that installs further packages akin to “requests”, “paramiko”, and “Beautifulsoup4”. These packages are required to scan and talk with the community and carry out actions by means of the SSH and Telnet protocols.

The scanner then makes use of employee threads to randomly scan internet-connected programs on widespread ports akin to 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 7547, 8080, 8443, and 8888.

After discovering a goal, the malware makes an attempt to brute power weak Telnet and SSH credentials, detect the CPU structure, and deploy a appropriate C0XMO binary.

The script comprises round 24 features for varied duties akin to scanning, exploiting HTTP and ADB-based vulnerabilities, detecting CPU structure, SSH/Telenet login, and checking IP addresses. Its essential function is to maneuver laterally throughout the community.

As soon as the malware positive factors entry to the machine, it copies itself to hidden places akin to “/tmp/.sys”, “/var/tmp/.sys”, and “/dev/shm/.sys” and creates a cron job that restarts each quarter-hour. The shell startup file has additionally been modified in order that it may be executed routinely.

Moreover, C0XMO actively scans working processes to determine and terminate competing botnet purchasers on hosts, in addition to purple teaming instruments, programming instruments, and community companies which will intrude with their operation.

That is finished by eradicating binaries and persistence mechanisms akin to cron jobs, init scripts, system companies, and shell profile entries.

It then makes use of a customized multi-stage handshake that features a magic string and a shared secret to hook up with a hardcoded command and management (C2) deal with and look ahead to instructions.

Supported instructions embody heartbeat checks, beginning and stopping scans, and launching DDoS assaults utilizing any of the 19 supported strategies.

Common suggestions to guard in opposition to C0XMO and different botnet malware are to maintain gadgets updated, use distinctive administrator credentials, and disable distant entry options when not wanted.

Fortinet describes C0XMO as having “a considerably extra superior structure and have set in comparison with earlier IoT botnets.”

The researchers notice that the general design of the malware displays “increased operational sophistication and complexity than typical Gafgyt malware.”