C0XMO Botnet Exploits DD-WRT Router Flaw
A new variant of the Gafgyt botnet, called C0XMO, has been discovered targeting DD-WRT router firmware, with the ability to move to other device types with various CPU architectures, including ARM, MIPS, PowerPC, SuperH, x86, x86_64, and others.
Researchers found that the botnet was seen targeting a Japanese technology company, but the source IP address was for a device located in Germany. The C0XMO botnet malware is delivered by exploiting CVE-2021-27137, a buffer overflow vulnerability caused by insufficient user input, which can be leveraged without authentication and leads to executing arbitrary code.
Modular Design and Capabilities
Fortinet researchers discovered C0XMO and highlighted its modular design, which allows operators to update its exploitation techniques, add or remove targeted architectures, and expand its lateral movement capabilities independently of the main payload. The botnet supports 19 methods for launching distributed denial-of-service (DDoS) attacks, including UDP/TCP/SYN/ICMP floods, “ping of death,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.
C0XMO downloads a Python script that installs additional packages, such as ‘requests,’ ‘paramiko,’ and ‘beautifulsoup4,’ which are required for network scanning and communication, and for running activities over SSH and telnet protocols. The scanner then uses worker threads to randomly scan internet-facing systems on common ports like 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 7547, 8080, 8443, 8888, and others.
Lateral Movement and Persistence
After finding a target, the malware attempts to brute-force weak Telnet and SSH credentials, detects the CPU architecture, and deploys a compatible C0XMO binary. The script contains almost two dozen functions for various tasks, including scanning, exploiting HTTP and ADB-based vulnerabilities, detecting the CPU architecture, SSH/telnet login, and checking IP addresses. Its main purpose is to move laterally on the network.
Once it gains access to a device, the malware copies itself to hidden locations, such as ‘/tmp/.sys,’ ‘/var/tmp/.sys,’ and ‘/dev/shm/.sys,’ and then creates cron jobs that relaunch it every 15 minutes. Also, shell startup files are modified to enable automatic execution.
Competitor Botnet Client Removal
C0XMO actively scans running processes to identify competitor botnet clients on the host, as well as red-team tools, programming tools, and network services that may interfere with its operation, and terminates them. It does so by deleting binaries and removing their persistence mechanisms, including cron jobs, init scripts, system services, and shell profile entries.
The malware then connects to a hardcoded command-and-control (C2) address using a custom multi-stage handshake that includes magic strings and shared secrets, and then awaits commands. The supported commands include heartbeat checks, starting and stopping scans, and launching DDoS attacks using one of the 19 supported methods.
Recommendations for Defense
The general recommendation for defending against C0XMO and other botnet malware is to keep devices up to date, use unique admin credentials, and disable remote access capabilities when not needed. Fortinet describes C0XMO as having "a considerably more advanced architecture and feature set compared to earlier IoT botnets." The researchers note that the overall design of the malware indicates "a greater degree of operational sophistication and complexity than typical Gafgyt malware."
Source: BleepingComputer