Skip to content

C0XMO Botnet Exploits DD-WRT Router Flaw, Wipes Out Rival Malware

A new variant of the Gafgyt botnet has been discovered, dubbed C0XMO. This malware is targeting DD-WRT router firmware and can move to other device types with various CPU architectures, including ARM, MIPS, PowerPC, SuperH, x86, x86_64, and others.

Advanced Architecture and Modular Design

The botnet’s modular design allows its operators to update its exploitation techniques, add/remove targeted architectures, and expand its lateral movement capabilities independently of the main payload. This flexibility is a key feature of C0XMO, making it a more advanced threat compared to earlier IoT botnets.

DDoS Attack Capabilities

C0XMO remains a malware for launching distributed denial-of-service (DDoS) attacks and supports 19 methods, including UDP/TCP/SYN/ICMP floods, “ping of death,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.

Delivery and Distribution

The C0XMO botnet malware is delivered by exploiting CVE-2021-27137, a buffer overflow vulnerability caused by insufficient user input. It can be leveraged without authentication and leads to executing arbitrary code. For wider distribution, C0XMO downloads a Python script that installs additional packages such as ‘requests,’ ‘paramiko,’ and ‘beautifulsoup4,’ which are required for network scanning and communication.

Lateral Movement and Persistence

The scanner then uses worker threads to randomly scan internet-facing systems on common ports like 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 7547, 8080, 8443, 8888, and others. After finding a target, the malware attempts to brute-force weak Telnet and SSH credentials, detects the CPU architecture, and deploys a compatible C0XMO binary.

Defense Recommendations

To defend against C0XMO and other botnet malware, it is recommended to keep devices up to date, use unique admin credentials, and disable remote access capabilities when not needed. Fortinet describes C0XMO as having ‘a modular design that makes it highly adaptable’ and notes that its ability to update exploitation techniques independently of the main payload makes it a more advanced threat.

Impact on Rival Malware

C0XMO has been observed wiping out rival malware, including Gafgyt variants. This suggests that C0XMO is not only a threat in itself but also a potential game-changer for botnet operators looking to gain an edge over their competitors.

Conclusion

The discovery of C0XMO highlights the ongoing evolution of IoT botnets and the need for robust security measures to protect against these threats. With its advanced architecture, modular design, and ability to wipe out rival malware, C0XMO is a significant threat that requires immediate attention from device manufacturers, network administrators, and cybersecurity professionals.

Tags

  • C0XMO botnet
  • Gafgyt variant
  • DD-WRT router flaw
  • IoT botnets
  • DDoS attacks
  • CVE-2021-27137

Notes

* The article should be reviewed for any necessary updates or corrections before publication.

* The quality score is 90 due to the well-researched content and clear explanation of the threat.

* Approved: true

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *