Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO

FortiGuard Labs has identified a new variant of the Gafgyt botnet, dubbed C0XMO, which exhibits cross-platform propagation capabilities by exploiting a vulnerability in DD-WRT router firmware. The malware, discovered in March, utilizes CVE-2021-27137 to gain initial access. A notable characteristic of C0XMO is its separation of lateral movement functions into a distinct Python script, allowing for more efficient targeting of diverse system architectures and device types.
The exploitation of CVE-2021-27137, a stack buffer overflow flaw within the UPnP service of vulnerable DD-WRT firmware, is the primary infection vector. Attackers send specially crafted M-SEARCH requests via UDP port 1900, which the SSDP parser in the affected firmware mishandles when encountering oversized ST:uuid: values. While an attack was observed targeting a Japanese technology firm, the originating IP address was traced to Germany. Once compromised, the affected host downloads the malware to a temporary directory.
Analysis of C0XMO revealed multiple compiled samples for various Linux architectures, including ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80836, and AMD64. This broad compilation strategy enhances the botnet's reach across a wide range of devices.
C0XMO shares common traits with other Gafgyt variants, such as employing weak-credential brute-force attacks against Telnet and SSH, incorporating embedded command-injection vulnerabilities, and supporting various Distributed Denial of Service (DDoS) attack techniques.
Upon execution on a compromised system, C0XMO implements a four-stage persistence mechanism. This involves setting up persistence, copying itself to multiple locations, configuring auto-start routines, and terminating competing processes. The malware first checks its execution path to ensure persistence. It then creates several hidden file paths, including directories within /tmp, /var/tmp, and /dev/shm. C0XMO copies itself to these hidden locations and sets execute permissions. If a home directory exists, it also copies itself there.
To maintain persistence, C0XMO creates cron jobs that schedule its execution every 15 minutes. Additionally, it appends execution commands to common shell profile files like ~/.profile, ~/.bashrc, and ~/.bash_profile, ensuring the malware restarts if terminated.
A significant feature of C0XMO is its "competitor killing" functionality. After establishing local persistence, the malware scans all active processes on the system. It maintains an internal blacklist of process names, targeting botnet malware, network services, programming tools, and red team utilities. If a process name matches an entry on this blacklist, C0XMO terminates it. The malware also checks the executable paths of terminated processes against a path blacklist and deletes matching files. Furthermore, C0XMO actively attempts to eliminate rival botnets by not only deleting their binaries but also removing their associated persistence mechanisms, such as cron jobs, rc.local entries, and system services.
Following local persistence setup, C0XMO establishes a connection to its command and control (C2) server located at 85[.]215[.]131[.]70. The malware employs a custom handshake protocol, beginning with a specific magic string and a shared secret. The C2 server confirms the handshake with "HANDSHAKE_OK," after which C0XMO identifies itself as a botnet node. The handshake concludes with a final magic value, prompting a welcome message from the server.
The botnet supports five primary commands received from the C2 server: ping, stop, scan, stopscan, and attack-related commands. The ping command functions as a heartbeat mechanism, with the infected host responding with "PONG" if active.
C0XMO is equipped to launch 19 different types of DDoS attacks, encompassing UDP and TCP floods, SYN floods, amplification attacks (NTP, Memcached), ICMP floods, Ping of Death, and various HTTP-based attacks designed to exhaust resources or bypass defenses like Cloudflare.
Unlike many botnets, C0XMO isolates its scanning functionality into a separate Python script. This script is downloaded from the same IP address and port used for distributing the main C0XMO binary. The scanner script requires several Python packages, including requests, paramiko, and beautifulsoup4, for network communication and SSH/Telnet interactions. The scanner is executed with arguments specifying random IP scanning, target ports, runtime duration, and the C2 server address. The scanner itself is organized into six categories: Worker, Blacklist, Telnet, SSH, HTTP Exploit, and ADB Exploit.





