New “Goldoon” Botnet Targeting D-Link Devices | FortiGuard Labs

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Remote vulnerability CVE-2015-2051 is used to execute arbitrary commands via a GetDeviceSettings action on the HNAP interface. Quote: “…This vulnerability allows remote attackers to execute arbitrary commands via a GetDeviceSettings action on the HNAP interface.”
• [T1105] Ingress Tool Transfer – The attackers download a file “dropper” from “hxxp://94[.]228[.]168[.]60:8080.” Quote: “The attackers initially exploit CVE-2015-2051 to download a file “dropper” from “hxxp://94[.]228[.]168[.]60:8080.””
• [T1027] Obfuscated/Compressed Files and Information – The XOR key “YesItsAnAntiHoneypotBaby” decrypts strings like “linux” and “i686-linux-gnu.” Quote: “The XOR key, ‘YesItsAnAntiHoneypotBaby,’ to decrypt the specific strings ‘linux’ and ‘i686-linux-gnu.’”
• [T1059.004] Unix Shell – The malware executes commands through “/bin/bash -c” on the victim host. Quote: “executes commands through “/bin/bash -c” on the victim host.”
• [T1071.001] Web Protocols – The final payload is fetched via HTTP with a crafted header carrying commands. Quote: “It uses a fixed header, “User-Agent: FBI-Agent (Checking You),” to get the ultimate payload.”
• [T1543.003] Create or Modify System Process: Linux Service – The malware creates a daemon named “goldoon.server” to persist. Quote: “Otherwise, it can be created as a daemon named “goldoon.server” and later enable itself to persist in the victim’s computer.”
• [T1499] Endpoint Denial of Service – DoS attacks are triggered via commands from the C2, including Minecraft DoS and other DoS payloads. Quote: “the other triggers different DoS attacks.”