C0XMO

The scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.

In addition, the scanner exploits unauthorized access vulnerabilities in the Android Debug Bridge (ADB) to compromise exposed Android-based devices.

The malware then creates cron jobs to run C0XMO every 15 minutes. (crontab -l 2>/dev/null | grep -v '%s'; echo ' /15 * * * %s >/dev/null 2>&1') | crontab -

Unlike traditional botnets, C0XMO isolates its scanning function into an independent Python script. The malware fetches this script from the same IP address and port... C0XMO then executes the scanner script with the following arguments. python3 /tmp/scanner.py --rand ...

The malware is delivered through a stack buffer overflow in vulnerable DD-WRT router firmware, triggered by malicious SSDP M-SEARCH requests sent to UDP port 1900.

C0XMO appends execution commands to multiple shell profile files such as ~/.profile, ~/.bashrc, and ~/.bash_profile, using the hidden files created earlier.

The malware then creates cron jobs to run C0XMO every 15 minutes. (crontab -l 2>/dev/null | grep -v '%s'; echo ' /15 * * * %s >/dev/null 2>&1') | crontab -

The scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.

In addition, the scanner exploits unauthorized access vulnerabilities in the Android Debug Bridge (ADB) to compromise exposed Android-based devices.

C0XMO appends execution commands to multiple shell profile files such as ~/.profile, ~/.bashrc, and ~/.bash_profile, using the hidden files created earlier.

The malware then creates cron jobs to run C0XMO every 15 minutes. (crontab -l 2>/dev/null | grep -v '%s'; echo ' /15 * * * %s >/dev/null 2>&1') | crontab -

The scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.

It then generates multiple hidden file paths, including /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys... C0XMO copies itself to these hidden locations

If it finds a match, C0XMO deletes the corresponding file from the system.

The scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.

pip3 install requests paramiko beautifulsoup4 --break-system-packages 2>/dev/null || pip3 install requests paramiko beautifulsoup4 2>/dev/null || python3 -m pip install requests paramiko beautifulsoup4

After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.

C0XMO copies itself to these hidden locations and sets the file permissions to 755, enabling execution.

C0XMO exhibits many traits typical of Gafgyt variants, including weak-credential brute-force attacks targeting Telnet and SSH... The scanner performs weak password brute-force attacks on Telnet and SSH services.

python3 /tmp/scanner.py --rand --rand-ports 23,22,80,443,8080,5555,5511,5554,4443,81,8000,7547,8081,8443,8888 ... The script then creates numerous worker threads... Scan whether the target ports are open Detect the service type Execute Telnet, SSH, HTTP, and ADB exploitation attempts

The malware scans all active processes in /proc, comparing their names to an internal blacklist.

After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.

These packages are primarily used for network communication, including sending HTTP requests, receiving responses, and performing SSH- and Telnet-based interactions.

In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137.

Unlike earlier variants, C0XMO uses a separate Python script for lateral movement, improving propagation across different devices and architectures.

After completing the local persistence setup, C0XMO establishes a connection to the C2 server at 85[.]215[.]131[.]70... C0XMO performs a custom handshake after connecting.

The server then responds with the string HANDSHAKE_OK. Next, C0XMO sends the string BOT to identify itself as a botnet node... In the final stage of the handshake, the bot sends the hexadecimal sequence FF FF FF FF 75 as the final magic value to the C2 server.

After compromise, the malware was downloaded to the `/tmp/.cache` directory on the affected host.

If a process name matches an entry on the blacklist, C0XMO immediately terminates that process.

C0XMO supports 19 different DDoS attack methods for various scenarios... UDP Bypass Flood, TCP Flood, Hybrid TCP + UDP Flood, TCP SYN Flood... HTTP Request Storm, Slow/IO Exhaustion, HTTP GET Flood

If a process name matches an entry on the blacklist, C0XMO immediately terminates that process... It not only deletes rival malware binaries but also tries to remove associated persistence mechanisms such as cron jobs, rc.local, init.d services, system services, and shell profile scripts.