A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks.
The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary commands by means of specially crafted HTTP requests.
"If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS)," Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li said.
Telemetry data from the network security company points to a spike in the botnet activity around April 9, 2024.
It all starts with the exploitation of CVE-2015-2051 to retrieve a dropper script from a remote server, which is responsible for responsible for downloading the next-stage payload for different Linux system architectures, including aarch64, arm, i686, m68k, mips64, mipsel, powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC.
The payload is subsequently launched on the compromised device and acts as a downloader for the Goldoon malware from a remote endpoint, after which the dropper removes the executed file and then deletes itself in a bid to cover up the trail and fly under the radar.
Any attempt to access the endpoint directly via a web browser displays the error message: "Sorry, you are an FBI Agent & we can't help you :( Go away or I will kill you :)"
Goldoon, besides setting up persistence on the host using various autorun methods, establishes contact with a command-and-control (C2) server to await commands for follow-up actions.
This includes an "astounding 27 different methods" to pull off DDoS flood attacks using various protocols like DNS, HTTP, ICMP, TCP, and UDP.
"While CVE-2015-2051 is not a new vulnerability and presents a low attack complexity, it has a critical security impact that can lead to remote code execution," the researchers said.
The development comes as botnets continue to evolve and exploit as many devices as possible, even as cybercriminals and advanced persistent threat (APT) actors alike have demonstrated an interest in compromised routers for use as an anonymization layer.
"Cybercriminals rent out compromised routers to other criminals, and most likely also make them available to commercial residential proxy providers," cybersecurity company Trend Micro said in a report.
"Nation-state threat actors like Sandworm used their own dedicated proxy botnets, while APT group Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters."
In using the hacked routers as proxies, the objective is to hide traces of their presence and make detection of malicious activities more difficult by blending their activity in with benign normal traffic.
Earlier this February, the U.S. government took steps to dismantle parts of a botnet called MooBot that, among other internet-facing devices like Raspberry Pi and VPS servers, primarily leveraged Ubiquiti EdgeRouters.
Trend Micro said it observed the routers being used for different purposes, such as Secure Shell (SSH) brute forcing, pharmaceutical spam, employing server message block (SMB) reflectors in NTLMv2 hash relay attacks, proxying stolen credentials on phishing sites, multi-purpose proxying, cryptocurrency mining, and sending spear phishing emails.
Ubiquiti routers have also come under assault from another threat actor that infects these devices with a malware dubbed Ngioweb, which are then used as exit nodes in a commercially available residential proxy botnet.
The findings further underscore the use of various malware families to wrangle the routers into a network that threat actors could control, effectively turning them into covert listening posts capable of monitoring all network traffic.
"Internet routers remain a popular asset for threat actors to compromise since they often have reduced security monitoring, have less stringent password policies, are not updated frequently, and may use powerful operating systems that allows for installation of malware such as cryptocurrency miners, proxies, distributed denial of service (DDoS malware), malicious scripts, and web servers," Trend Micro said.