A recent variation of the notorious Gafgyt botnet, dubbed C0XMO, has emerged, targeting Linux-based systems by exploiting a known vulnerability within DD-WRT router firmware. The malware capitalizes on a stack buffer overflow flaw found in the UPnP service of these routers, allowing attackers to gain unauthorized access without the need for credentials. Once a device is compromised, it becomes part of a rapidly expanding botnet.
Modular Design and Broader Reach
The C0XMO variant distinguishes itself through its modular architecture, enabling it to target a variety of Linux processor types simultaneously. Attackers have engineered the malware to deliver payloads tailored to specific architectures, significantly broadening its reach compared to previous IoT threats. Additionally, the malware employs Python scripts for network scanning and lateral movement, automatically identifying new targets within a network.
Researchers at Fortinet’s FortiGuard Labs were the first to identify and analyze this variant. Their findings, shared with Cyber Security News, indicate that C0XMO has been actively exploiting CVE-2021-27137 since March. This vulnerability is triggered by an oversized ST:uuid value in a crafted M-SEARCH request over UDP port 1900.
Impact and Cross-Platform Threats
The scope of C0XMO’s impact is under assessment, but the threat is notable given the widespread use of DD-WRT firmware in home and small business environments globally. Beyond targeting routers, the malware also seeks to exploit Android Debug Bridge connections, indicating a sophisticated cross-platform approach by IoT botnet operators.
In addition to its primary attack vector, C0XMO can execute distributed denial-of-service attacks once a device is enlisted. It also exploits vulnerabilities in D-Link devices, GLPI project software, and Avtech DVR cameras, significantly expanding its attack surface. Security teams overseeing diverse device environments should treat this as an ongoing threat.
Defensive Measures and Recommendations
C0XMO thrives on exploiting known vulnerabilities that often remain unpatched. It utilizes CVE-2021-27137 in DD-WRT, CVE-2015-2051 in D-Link devices, CVE-2022-35914 in GLPI software, and various Avtech DVR camera flaws. To mitigate risk, users should promptly update firmware and disable unnecessary UPnP services on their routers. Blocking external access to UDP port 1900 can further reduce exposure.
Monitoring network traffic for unusual activity, such as unexpected UDP traffic spikes or brute-force login attempts, is crucial for early detection of infections. Special attention should be given to older, unmanaged IoT devices, which are often left unpatched and are prime targets for such malware campaigns.
Indicators of Compromise (IoCs) include specific CVEs and IP addresses associated with the C0XMO botnet. Security professionals are advised to refang IP addresses within controlled environments to avoid accidental resolutions.
