LIVE · cybersecurity feed
iothigh

Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO

zeroday.news·35d ago
ShareXLinkedInWhatsAppFacebook

FortiGuard Labs has identified a new variant of the Gafgyt botnet, dubbed C0XMO, which exhibits cross-platform propagation capabilities by exploiting a vulnerability in DD-WRT router firmware. The malware, discovered in March, utilizes CVE-2021-27137 to gain initial access. A notable characteristic of C0XMO is its separation of lateral movement functions into a distinct Python script, allowing for more efficient targeting of diverse system architectures and device types.

The exploitation of CVE-2021-27137, a stack buffer overflow flaw within the UPnP service of vulnerable DD-WRT firmware, is the primary infection vector. Attackers send specially crafted M-SEARCH requests via UDP port 1900, which the SSDP parser in the affected firmware mishandles when encountering oversized ST:uuid: values. While an attack was observed targeting a Japanese technology firm, the originating IP address was traced to Germany. Once compromised, the affected host downloads the malware to a temporary directory.

Analysis of C0XMO revealed multiple compiled samples for various Linux architectures, including ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80836, and AMD64. This broad compilation strategy enhances the botnet's reach across a wide range of devices.

C0XMO shares common traits with other Gafgyt variants, such as employing weak-credential brute-force attacks against Telnet and SSH, incorporating embedded command-injection vulnerabilities, and supporting various Distributed Denial of Service (DDoS) attack techniques.

Upon execution on a compromised system, C0XMO implements a four-stage persistence mechanism. This involves setting up persistence, copying itself to multiple locations, configuring auto-start routines, and terminating competing processes. The malware first checks its execution path to ensure persistence. It then creates several hidden file paths, including directories within /tmp, /var/tmp, and /dev/shm. C0XMO copies itself to these hidden locations and sets execute permissions. If a home directory exists, it also copies itself there.

To maintain persistence, C0XMO creates cron jobs that schedule its execution every 15 minutes. Additionally, it appends execution commands to common shell profile files like ~/.profile, ~/.bashrc, and ~/.bash_profile, ensuring the malware restarts if terminated.

A significant feature of C0XMO is its "competitor killing" functionality. After establishing local persistence, the malware scans all active processes on the system. It maintains an internal blacklist of process names, targeting botnet malware, network services, programming tools, and red team utilities. If a process name matches an entry on this blacklist, C0XMO terminates it. The malware also checks the executable paths of terminated processes against a path blacklist and deletes matching files. Furthermore, C0XMO actively attempts to eliminate rival botnets by not only deleting their binaries but also removing their associated persistence mechanisms, such as cron jobs, rc.local entries, and system services.

Following local persistence setup, C0XMO establishes a connection to its command and control (C2) server located at 85[.]215[.]131[.]70. The malware employs a custom handshake protocol, beginning with a specific magic string and a shared secret. The C2 server confirms the handshake with "HANDSHAKE_OK," after which C0XMO identifies itself as a botnet node. The handshake concludes with a final magic value, prompting a welcome message from the server.

The botnet supports five primary commands received from the C2 server: ping, stop, scan, stopscan, and attack-related commands. The ping command functions as a heartbeat mechanism, with the infected host responding with "PONG" if active.

C0XMO is equipped to launch 19 different types of DDoS attacks, encompassing UDP and TCP floods, SYN floods, amplification attacks (NTP, Memcached), ICMP floods, Ping of Death, and various HTTP-based attacks designed to exhaust resources or bypass defenses like Cloudflare.

Unlike many botnets, C0XMO isolates its scanning functionality into a separate Python script. This script is downloaded from the same IP address and port used for distributing the main C0XMO binary. The scanner script requires several Python packages, including requests, paramiko, and beautifulsoup4, for network communication and SSH/Telnet interactions. The scanner is executed with arguments specifying random IP scanning, target ports, runtime duration, and the C2 server address. The scanner itself is organized into six categories: Worker, Blacklist, Telnet, SSH, HTTP Exploit, and ADB Exploit.

iotmalwarebotnetvulnerability
ShareXLinkedInWhatsAppFacebook
← Back to latest

More News

view all →
zeroday.news · 1h ago·high

Accenture Confirms Security Incident After Hacker Claims 35GB Source-Code Theft

Accenture has acknowledged a security incident after a threat actor advertised what they claim is stolen internal data. The attacker, using the alias "888", says they took more than 35GB of source code and cloud credentials from the consulting giant and are offering it for sale. Accenture says it has addressed the source of the issue and that its operations were not disrupted.

zeroday.news · 4h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 5h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 5h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 6h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 6h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.