Threat Research

RondoDox Unveiled: Breaking Down a New Botnet Threat

Fortinet
RondoDox Unveiled: Breaking Down a New Botnet Threat

FortiGuard Labs has identified a new botnet named RondoDox exploiting critical vulnerabilities CVE-2024-3721 and CVE-2024-12856 in TBK DVR and Four-Faith router devices, enabling remote command execution and control. The malware employs advanced evasion, persistence, and mimicking techniques to launch distributed denial-of-service (DDoS) attacks and evade detection. #RondoDox #CVE20243721 #CVE202412856

Keypoints

  • RondoDox targets TBK DVR models DVR-4104 and DVR-4216, and Four-Faith router models F3x24 and F3x36 by exploiting CVE-2024-3721 and CVE-2024-12856.
  • The malware uses XOR-encoded configuration data and modifies system files and permissions to maintain persistent access on infected devices.
  • RondoDox disguises its DDoS attack traffic as legitimate gaming platforms, VPNs, and real-time communication protocols to evade network detection.
  • Upon execution, RondoDox terminates processes related to system and network analysis tools to prevent detection and analysis.
  • The malware renames critical Linux executables such as iptables, passwd, and shutdown to disrupt system functionality and complicate recovery efforts.
  • RondoDox connects to an XOR-decoded C2 server IP 83.150.218.93 to receive commands for launching DDoS attacks using HTTP, UDP, and TCP protocols.
  • Fortinet products detect and block RondoDox using specific antivirus signatures, IPS signatures, and web filtering services.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – RondoDox executes arbitrary OS commands via injection vulnerabilities in TBK DVR and Four-Faith routers (‘manipulate mdb and mdc parameters to inject OS commands’).
  • [T1547 ] Boot or Logon Autostart Execution – Establishes persistent access by modifying file permissions and symbolic links for init scripts and appending launch commands to system startup files and crontabs (‘modifies file permissions and symbolic links to /etc/init.d/rondo and /etc/rc3.d/S99rondo’).
  • [T1499 ] Endpoint Denial of Service – Launches distributed denial-of-service attacks over HTTP, UDP, and TCP protocols against targets, disguising traffic as legitimate services (‘RondoDox is capable of launching DDoS attacks using HTTP, UDP, and TCP while impersonating gaming and VPN traffic’).
  • [T1562 ] Impair Defenses – Terminates processes related to network utilities and analysis tools such as tcpdump, Wireshark, and gdb to avoid detection (‘if such processes are detected, RondoDox immediately terminates them’).
  • [T1070 ] Indicator Removal on Host – Clears command execution history to evade detection after malware deployment (‘clears the command execution history to evade detection’).
  • [T1036 ] Masquerading – Disguises malicious network traffic to mimic gaming platforms and VPN protocols such as OpenVPN, Discord, and WireGuard (‘disguises malicious traffic by emulating popular games and platforms’).
  • [T1083 ] File and Directory Discovery – Scans common Linux executable directories to rename critical executables disrupting system stability (‘scans executable directories including /usr/sbin, /usr/bin, renaming files like iptables and passwd’).

Indicators of Compromise

  • [IP Address ] C2 server and malicious host – 83.150.218.93, 45.135.194.34
  • [File Hash ] Downloader binary targeting Linux architectures – c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451ceb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9
  • [File Hash ] RondoDox malware samples – e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c1053e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be543d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a44c2429fc8b8ec61da41cbba1b8184ec45fa93a9841b4ca48094bba7741b826b8694d729d67f1b0c06702490bfab1df3a96fe040fe5d07efa5c92356c329757beedae3b75deb8013bd48ac4534cca345b90938a2abb91672467c2bf9ae81ff6830814a0781ab30fca069a085dba201d6fd0f414498fafa4bb42859786d91d478159b4deee977e9e27b60e7e179d54a1ce8e56624e73b799523416eee828bfaf769f916a552efc6775367a31357a633dc0be01879830d3fddccdf3c40b26e50afd0a9ebbecc8ec58c253039520304ca373cfb8d1674d67993e6485e244a77d6ec96c81fd73b4bef6fef379cbefdcce7f374ea7e6bf1bf0917cf4ca7b72d4cee788a55a3859a203ca2bae7399295f92aeae61d845ffa173c1938f938f5c148eef9957573779f9a62eecb80737d41d42165af8bb9884579c50736766abb63d2835ba3daa53204978b7797bd53f5c964eed7a73d971517a764785ce3ab65a9423c2e78bf8928bc255e73e0b5b0ce13747c64d82d5f2647da129f189138773733ac21f20a24b179bdbbdcc0053838c0484ea25eff6976f2b8cb5630ab4efb28b0f06b542aa715573c7d2fca01914504cb7336db715d73d1e20d23e4bd37f2e4f4fe389c9278ce988343606350a94156ca28ee28bd605d1d95c810a16866eee1f997598a197f60d5f5641f2c56576b4c867d141612c6e00db29c512f266835510b8a62d8250d289c5ec87752cec1af31eed0347cf2dd54dc0fbeea645319c4dae238ee2d02414a54e97ad26748812002610f1491a2a746e9ba0f9d05de3d47d7bab4f5ec123a91fdacd9a4c0bcf800d6b7db5162cfd11cb71e260647ef0f2c60978ebfcef708fec1afbea4fb32b586e0dacf0d228c375a532008d81453c367256afea5a305507f34c14c72cab35715b7f7b25b32352a8e19b8a283003aaf539d12ca517937e6ab0dfcedfa23eced7b52d3899b0847df3fcb7a9c326b71027a7ab5f5b93

Read more: https://feeds.fortinet.com/~/921112727/0/fortinet/blog/threat-research~RondoDox-Unveiled-Breaking-Down-a-New-Botnet-Threat