A new and advanced variant of the **Gafgyt** botnet, named **C0XMO**, is actively exploiting vulnerabilities in **DD-WRT** router firmware. This sophisticated malware demonstrates a remarkable ability to adapt, targeting a diverse range of device types across multiple CPU architectures, including ARM, MIPS, PowerPC, SuperH, x86, and x86_64. ### Modular Design and Broad Reach Researchers at **Fortinet** were instrumental in uncovering **C0XMO**'s capabilities. They highlighted its modular architecture, a key feature that allows its operators to independently update exploitation techniques, add or remove targeted architectures, and expand lateral movement capabilities without altering the main payload. While observed targeting a Japanese technology company, the botnet's source IP was traced back to a device in Germany, indicating a potentially wider global reach or complex operational structure. ### Exploitation and DDoS Capabilities **C0XMO** primarily propagates by exploiting **CVE-2021-27137**, a critical buffer overflow vulnerability in **DD-WRT**. This flaw, stemming from insufficient user input validation, can be leveraged without authentication to execute arbitrary code on vulnerable devices. At its core, **C0XMO** is designed for launching distributed denial-of-service (DDoS) attacks. It supports an extensive array of 19 attack methods, including UDP/TCP/SYN/ICMP floods, “ping of death,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods. ### Advanced Propagation and Persistence To achieve wider distribution, **C0XMO** downloads a Python script that installs necessary packages like 'requests,' 'paramiko,' and 'beautifulsoup4'. These tools facilitate network scanning and communication over SSH and Telnet protocols.  The scanner employs worker threads to randomly probe internet-facing systems on common ports such as 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 7547, 8080, 8443, and 8888. Upon identifying a target, the malware attempts to brute-force weak Telnet and SSH credentials. Once access is gained, it detects the CPU architecture and deploys a compatible **C0XMO** binary. The script features nearly two dozen functions for various tasks, including scanning, exploiting HTTP and ADB-based vulnerabilities, CPU architecture detection, SSH/Telnet login, and IP address verification, all aimed at robust lateral movement within networks. Once a device is compromised, **C0XMO** copies itself to hidden directories like '/tmp/.sys,' '/var/tmp/.sys,' and '/dev/shm/.sys.' It then establishes persistence by creating cron jobs to relaunch itself every 15 minutes and modifies shell startup files for automatic execution. ### Eliminating Rivals and Command & Control A notable characteristic of **C0XMO** is its active scanning for rival botnet clients, red-team tools, programming tools, and network services that might interfere with its operations. Upon detection, it terminates these processes, deletes their binaries, and removes their persistence mechanisms, including cron jobs, init scripts, system services, and shell profile entries.  Following successful compromise and cleanup, **C0XMO** connects to a hardcoded command-and-control (C2) address using a custom multi-stage handshake involving magic strings and shared secrets. It then awaits commands, which include heartbeat checks, initiating/stopping scans, and launching DDoS attacks using any of its 19 supported methods. ### Fortinet's Assessment and Defense Recommendations **Fortinet** describes **C0XMO** as possessing "a considerably more advanced architecture and feature set compared to earlier IoT botnets." The researchers emphasize that its overall design indicates "a greater degree of operational sophistication and complexity than typical **Gafgyt** malware." To defend against **C0XMO** and similar botnet threats, IT security professionals and users are strongly advised to: * Keep all devices, especially routers and IoT devices, updated with the latest firmware and security patches. * Utilize strong, unique administrative credentials for all network devices. * Disable remote access capabilities when not explicitly required.