Affected Platforms: D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
In April, FortiGuard Labs observed a new botnet targeting a D-Link vulnerability from nearly a decade ago, CVE-2015-2051. This vulnerability allows remote attackers to execute arbitrary commands via a GetDeviceSettings action on the HNAP interface. As a result, an attacker can create a crafted HTTP request with a malicious command embedded in the header.
Our IPS signature captured attempts to exploit the CVE-2015-2051 vulnerability to propagate a new botnet that we have named “Goldoon.” Figure 1 shows the attack packet. If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS). Our telemetry data also indicates that this botnet activity spiked in April, almost doubling the usual frequency.
In this article, we will provide detailed insights into the propagation and actions of the Goldoon botnet.
Figure 1: CVE-2015-2051 payload
Figure 2: IPS signature telemetry
The attackers initially exploit CVE-2015-2051 to download a file “dropper” from “hxxp://94[.]228[.]168[.]60:8080.” The script is programmed to automatically download, execute, and clean up potentially malicious files across various Linux system architectures, including aarch64, arm, i686, m68k, mips64, mipsel, powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC. Each downloaded file, named “goldoon,” is executed immediately after its download and permission adjustment. After execution, the script removes the executed file and then deletes itself to erase any trace of its activity, thereby enhancing its stealth.
Figure 3: Script file "dropper"
The primary role of the “i686-linux-gnu” downloaded from the dropper is to get the botnet file. It first employs the XOR key, “YesItsAnAntiHoneypotBaby,” to decrypt the specific strings “linux” and “i686-linux-gnu.” After decoding, it attaches them to “/bins” to construct the full Uniform Resource Identifier (URI). It uses a fixed header, “User-Agent: FBI-Agent (Checking You),” to get the ultimate payload.
Figure 4: XOR function and key for decoding URI
Figure 5: Hard-coded header
Figure 6: Packet capture for downloading Goldoon
Any attempt to open the targeted URI using a web browser will lead to the error message shown in Figure 7.
Finally, it iterates through a set of paths, modifying each file it can write to and then deleting those files after modification. This is another cleanup mechanism to cover its tracks in a compromised system.
Through analyzing the malware, we found that it has the following behaviors:
Goldoon first initializes some required arguments for establishing a connection. For example, it uses “WolfSSL” for traffic encryption and sets the Google DNS server (i.e., “8.8.8.8”, “8.8.4.4”) as a DNS resolver. This allows the malware to carry through its attack.
Figure 9: Initialize DNS Server
There are ten different autorun methods, each aiming to execute malware while the victim’s computer is starting up. We can classify them into the following types: Boot Execution, Daemon, and Logon Execution.
The malware can execute itself through Linux booting initialize files or applications, such as “/etc/rc.local,” “crontab,” etc.
Figure 10: Boot Execution with Crontab
Otherwise, it can be created as a daemon named “goldoon.server” and later enable itself to persist in the victim’s computer.
Figure 11: Daemon by the Name of "goldoon.server"
In addition, the malware can also execute automatically as soon as the victim logs on to the compromised device.
Autorun Type |
Autorun Method |
Boot Execution |
/etc/rc.local |
/etc/init.d/startup_script |
|
/etc/init.d/S99startup |
|
crontab |
|
/etc/profile |
|
Daemon |
/etc/systemd/system/goldoon.service |
/etc/inittab |
|
Logon Execution |
~/.bashrc |
~/.config/autostart/goldoon.desktop |
|
/etc/xdg/autostart/goldoon.desktop |
The Goldoon malware continuously tries to connect to its C2 server until a connection is established. It also records information about the targeted system, such as user name, etc.
Figure 12: C2 Connecting Stage
Figure 13: Get Victim System Information
Once completed, the Goldoon malware receives packets from the C2 server. These contain commands for follow-up actions.
Figure 14: Reading and Handling Packet
The packet has seven cases that are set off by the C2 server. Two of them have obviously malicious purposes. One executes commands through “/bin/bash -c” on the victim host, and the other triggers different DoS attacks.
Figure 15: Command Execution
According to our analysis, this malware contains an astounding 27 different methods related to various attacks.
Protocol |
Attack Method |
ICMP |
ICMP Flooding |
TCP |
TCP Flooding, XMAS Attack, etc. |
UDP |
UDP Flooding |
DNS |
DNS Flooding |
HTTP |
HTTP Bypass, HTTP Flooding, etc. |
Other |
Minecraft DDoS Attack |
Table 2: Attack Methods
Take a TCP SYN flooding attack as an example. The malware first gathers information about the target, such as its IP and port, and even checks whether the target IP is IPv6.
Figure 16: TCP SYN Flooding Attack Arguments
Goldoon can launch DoS attacks through common protocols, including the game Minecraft. The malware uses various packets to launch a DoS attack, especially for attacks through TCP, which includes more than ten types of packets.
Figure 17: Commands for Attack Methods
Because some of these methods are empty, such as “http_exploit,” “http_xflow,” “http_pps,” and “http_cps,” we deduce that the attacker may have an ongoing development of the malware.
While CVE-2015-2051 is not a new vulnerability and presents a low attack complexity, it has a critical security impact that can lead to remote code execution. Once attackers successfully exploit this vulnerability, they can incorporate compromised devices into their botnet to launch further attacks. FortiGuard Labs has identified one such new botnet, “Goldoon,” that is exploiting this vulnerability, reminding us that botnets continue to evolve and exploit as many devices as possible. We strongly recommend applying patches and updates whenever possible because of the ongoing development and introduction of new botnets.
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
BAT/Agent.G!tr.dldr
ELF/Agent.JL!tr.dldr
ELF/Agent.GLN!tr
POWERSHELL/Agent.G!tr.dldr
W64/Agent.GLN!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:
CVE-2015-2051: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution
We also suggest that organizations go through Fortinet’s free cybersecurity training module: Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
94[.]228[.]168[.]60
66f21251d7f8c58316f149fec104723beb979a1215ad4e788d83f0ee6fd34696
712d9abe8fbdff71642a4d377ef920d66338d73388bfee542f657f2e916e219c
d7367d41d19baa4f1022f8eb47f7ff1e13f583265c7c26ab96d5f716fa0d61ee
fdf6dae772f7003d0b7cdc55e047434dbd089e0dc7664a3fae8ccfd9d10ece8c
aa9e6006bce7d0b4554165dba76e67c4a44d98090c9e6ac9f3dca726f6e9adbf
fc44018b7432d9e6a1e98f723b0402101fa6e7483d098b10133aac142c0a4a0b
e7b78f16d0dfc91b4c7e8fd50fc31eba1eb22ec7030af9bf7c551b6019c79333
0e6eb17664943756cab434af5d94fcd341f154cb36fc6f1ef5eb5cfdce68975f
9af8720766c5f3978718c026c2263801b08634443c93bd67022c56c6ef531ef3
df71219ba6f5835309479b6e3eaca73b187f509b915420656bfe9a9cc32596c2
48130a7c09a5c92e15b3fc0d2e1eb655e0bd8f759e01ba849f7734e32dbc2652
8eb9c1eaecd0dcdd242e1bc8c62a1052915b627abe2de8ce147635fb7da3bfcc
b050a1ff0d205f392195179233493ff5b6f44adc93fe0dba1f78c4fe90ebcc46
ffd2d3888b6b1289e380fa040247db6a4fbd2555db3e01fadd2fe41a0fa2debc
88cea61218bdeea94537b74c67873e75b8ada6d050a30d311569c3118d161c46
115e15fbee077a9e126cc0eb349445df34cc9404245520c702fadc5f75b6f859
b10e47db989e29ace6c23ed15e29f313993f95e5e615711060881dfa84618071
037331ab84a841b9d3cfb6f8797c1695e2dc0a2cdcc3f8f3c794dfaa50bcf0df
5631980fab33525f4de1b47be606cd518403f54fa71b81186f02dbf7e9ed0004
246142a5e3f3d3f84d8b38f98ff6897b03628e06e31016b8fafc9eb8c2b6201d
3123a458a6346fd14c5bd7d41cda6c9c9bdabc786366a9ab3d5e7c00132ff835
45bf2c9c6628d87a3cb85ee78ae3e92a09949185e6da11c41e2df04a53bb1274
c81cfe4d3b98d0b28d3c3e7812beda005279bc6c67821b27571240eba440fa49