Goldoon Botnet Exploits Old D-Link Router Vulnerability for Further Attacks

May 2, 2024

A previously unseen botnet, termed Goldoon, is exploiting a critical security flaw in D-Link routers that dates back nearly a decade. The objective of this exploitation is to compromise the devices and use them to carry out further attacks. The vulnerability being exploited is CVE-2015-2051, which has a CVSS score of 9.8 and affects D-Link DIR-645 routers. The flaw allows remote attackers to execute arbitrary commands by sending specially crafted HTTP requests.

Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li stated, 'If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS).' The researchers noticed a surge in botnet activity around April 9, 2024. The attack begins with the exploitation of CVE-2015-2051 to retrieve a dropper script from a remote server. This script is responsible for downloading the next-stage payload for different Linux system architectures.

The payload is then launched on the compromised device and acts as a downloader for the Goldoon malware from a remote endpoint. After this, the dropper removes the executed file and deletes itself to cover its tracks and avoid detection. The botnet, Goldoon, establishes persistence on the host using various autorun methods and connects with a command-and-control (C2) server to receive commands for subsequent actions. This includes an 'astounding 27 different methods' to carry out DDoS flood attacks using various protocols such as DNS, HTTP, ICMP, TCP, and UDP.

The researchers noted, 'While CVE-2015-2051 is not a new vulnerability and presents a low attack complexity, it has a critical security impact that can lead to remote code execution.' This development underscores the evolution of botnets and their exploitation of as many devices as possible. Cybercriminals and advanced persistent threat (APT) actors have shown interest in compromised routers for use as an anonymization layer.

Cybersecurity company Trend Micro reported that 'Cybercriminals rent out compromised routers to other criminals, and most likely also make them available to commercial residential proxy providers.' Nation-state threat actors like Sandworm have used their dedicated proxy botnets, while APT group Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters.

The goal of using hacked routers as proxies is to hide traces of their presence and make detection of malicious activities more difficult by blending their activity in with benign normal traffic. In February, the U.S. government took steps to dismantle parts of a botnet called MooBot that primarily leveraged Ubiquiti EdgeRouters. Trend Micro observed the routers being used for various malicious activities, including SSH brute forcing, pharmaceutical spam, and cryptocurrency mining.

The findings highlight the use of various malware families to control routers, effectively turning them into covert listening posts capable of monitoring all network traffic. 'Internet routers remain a popular asset for threat actors to compromise since they often have reduced security monitoring, have less stringent password policies, are not updated frequently, and may use powerful operating systems that allows for installation of malware such as cryptocurrency miners, proxies, distributed denial of service (DDoS malware), malicious scripts, and web servers,' Trend Micro said.

Latest News

• Active Exploitation of GitLab Vulnerability: CISA Issues Warning
• Rise in USB-Based Cyberattacks on Operational Technology Systems
• Newly Discovered R Programming Language Vulnerability Could Lead to Supply Chain Attacks
• Brocade SANnav Management Software Vulnerabilities Allow Device Compromise
• Ukraine Targeted by Exploitation of Seven-Year-Old Microsoft Office Vulnerability