New Gafgyt Variant C0XMO Exploits DD-WRT Flaw, Targets Multiple Architectures
A new Gafgyt botnet variant, C0XMO, is spreading rapidly by exploiting a critical vulnerability in DD-WRT firmware, targeting multiple Linux architectures with a modular design.
A sophisticated new variant of the Gafgyt botnet, dubbed C0XMO, has been observed actively compromising Linux-based devices, primarily by exploiting a known vulnerability in DD-WRT router firmware. The malware leverages a stack buffer overflow flaw within the UPnP service of affected routers, allowing attackers to gain unauthorized access without needing credentials. Once a device is compromised, C0XMO works to enlist it into a growing botnet network, contributing to distributed denial-of-service (DDoS) attacks.
What distinguishes C0XMO from previous Gafgyt iterations is its modular architecture and its capability to target a wide array of Linux processor architectures simultaneously. The malware is engineered to compile and deploy architecture-specific payloads, significantly broadening its reach compared to many other IoT-focused threats. Furthermore, it incorporates Python-based scanning scripts that facilitate lateral movement across networks, enabling the automatic discovery of new targets.
Fortinet's FortiGuard Labs identified and analyzed the C0XMO variant, noting its initial discovery in March. The analysis confirmed the exploitation of CVE-2021-27137, a stack buffer overflow vulnerability in the UPnP service of specific DD-WRT firmware versions. This flaw is triggered by sending an oversized ST:uuid value in a crafted M-SEARCH request over UDP port 1900. The widespread deployment of DD-WRT firmware in home offices and small businesses makes this threat particularly concerning.
Beyond its primary target of routers, C0XMO demonstrates a cross-platform approach by attempting to exploit exposed Android Debug Bridge (ADB) connections to compromise Android devices. This multi-platform targeting signifies an increasing level of sophistication among operators of IoT botnets. The botnet's capabilities extend to launching DDoS attacks once devices are recruited, and it also exploits known vulnerabilities in D-Link devices, GLPI project software, and Avtech DVR cameras, thereby expanding its attack surface considerably.
A key technical innovation in C0XMO is its separation of lateral movement functionality into a standalone Python script. This design allows the botnet to scan and probe networks independently of the main malware, enhancing its flexibility and making it more elusive. The script identifies reachable hosts and ascertains the target's architecture before delivering the appropriate payload. The malware supports a range of Linux architectures, including ARM, MIPS, and x86, effectively covering a broad spectrum of routers, IoT sensors, and embedded devices.
After infection, C0XMO establishes communication with a command-and-control (C2) server, awaiting instructions for DDoS attacks and further botnet expansion. Its scanning modules operate continuously in the background, identifying new devices and relaying information back to the operators. The malware also employs brute-force authentication attempts against accessible services as part of its network traversal routine.
The success of C0XMO relies on exploiting several well-known, yet often unpatched, vulnerabilities. In addition to CVE-2021-27137 in DD-WRT, its toolkit includes CVE-2015-2051 for D-Link devices, CVE-2022-35914 for GLPI project software, and multiple flaws affecting Avtech DVR cameras. The persistence of these vulnerabilities highlights the slow pace of patching in the IoT ecosystem. Users of affected devices are strongly advised to update their firmware immediately.
To mitigate the threat, disabling UPnP on DD-WRT routers where it is not essential can close the primary entry point. Implementing firewall rules to block external access to UDP port 1900 can also reduce exposure. Continuous network traffic monitoring is crucial for early detection of infections, looking for unusual outbound connections, sudden spikes in UDP traffic on port 1900, and brute-force login attempts. Older and unmanaged IoT devices, which are frequently unpatched, represent prime targets for campaigns like C0XMO.