C0XMO botnet spreads via DD-WRT router flaw, kills rival malware

Key Points:

• C0XMO, a new variant of the Gafgyt botnet, exploits a buffer overflow vulnerability (CVE-2021-27137) in DD-WRT router firmware to spread and execute DDoS attacks.
• The botnet targets multiple device architectures and can move laterally across networks, impacting devices such as DVRs and routers. Its sophisticated design allows it to evade detection and terminate rival malware.
• Recommended actions include keeping devices updated, using unique admin credentials, and disabling unnecessary remote access capabilities.

Technical Details: C0XMO leverages CVE-2021-27137 to exploit DD-WRT routers without authentication, allowing arbitrary code execution. It employs various scanning techniques to brute-force weak credentials on SSH and Telnet.

MITRE ATT&CK Techniques:

• T1190 - Exploit Public-Facing Application (Initial Access)
• T1078 - Valid Accounts (Credential Access)
• T1046 - Network Service Scanning (Discovery)
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Execution)
• T1543.003 - Create or Modify System Process: Windows Service (Persistence)

IOCs Mentioned: None mentioned.