A recent discovery by Fortinet researchers has revealed a new variant of the Gafgyt botnet known as C0XMO. This malicious botnet is specifically targeting devices running DD-WRT router firmware and has the ability to infect a wide range of devices with different CPU architectures.
The researchers identified samples of C0XMO designed for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures. These samples include exploits for DVRs, routers, video management platforms, and Android-based devices, highlighting the botnet’s versatility and potential for widespread impact.
Despite initially targeting a Japanese technology company, further investigation revealed that the source IP address of the attacks originated from a device located in Germany, underscoring the global reach and anonymity of the C0XMO botnet.
The modular design of C0XMO sets it apart from other botnets, allowing operators to easily update its exploitation techniques, add or remove targeted architectures, and enhance its lateral movement capabilities independently of the main payload.
Primarily designed for launching distributed denial-of-service (DDoS) attacks, C0XMO supports a wide range of attack methods, including UDP, TCP, SYN, ICMP floods, “ping of death,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.
The delivery mechanism of the C0XMO malware exploits CVE-2021-27137, a buffer overflow vulnerability that can be triggered without authentication, leading to the execution of arbitrary code on vulnerable devices.
To facilitate wider distribution, C0XMO downloads a Python script that installs additional packages necessary for network scanning and communication, such as ‘requests,’ ‘paramiko,’ and ‘beautifulsoup4. These packages enable the botnet to conduct activities over SSH and telnet protocols.
The scanner component of C0XMO utilizes worker threads to scan internet-facing systems on common ports like SSH, Telnet, HTTP, HTTPS, and others. Upon identifying a potential target, the malware attempts to brute-force weak credentials, determine the CPU architecture, and deploy a compatible C0XMO binary.
The Python script contains a comprehensive set of functions for scanning, exploiting vulnerabilities, detecting CPU architecture, logging into SSH/telnet, and checking IP addresses. Its primary objective is to move laterally within the network and infect additional devices.
Upon gaining access to a device, C0XMO hides itself in locations such as ‘/tmp/.sys,’ ‘/var/tmp/.sys,’ and ‘/dev/shm/.sys,’ creating cron jobs for periodic relaunches. Additionally, it modifies shell startup files to ensure automatic execution.
Furthermore, C0XMO actively scans running processes to identify competitor botnet clients, red-team tools, programming tools, and network services that may interfere with its operations, terminating them by removing binaries and persistence mechanisms.
Upon establishment, C0XMO connects to a predefined command-and-control (C2) address using a custom multi-stage handshake process involving magic strings and shared secrets. Subsequently, it awaits commands that include heartbeat checks, scan control, and initiation of DDoS attacks using the supported methods.
To defend against C0XMO and similar botnet threats, it is crucial to maintain device security by keeping systems up to date, using strong and unique admin credentials, and disabling remote access functionalities when not in use.
Described by Fortinet as possessing a significantly advanced architecture and feature set compared to previous IoT botnets, C0XMO represents a new level of operational sophistication and complexity within the realm of malware.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
