C0XMO Botnet Exploits DD-WRT Flaw to Wipe Rival Malware

Fortinet researchers have uncovered a new variant of the Gafgyt botnet, dubbed C0XMO, which exploits a long-known buffer overflow vulnerability in DD-WRT router firmware (CVE-2021-27137) to gain unauthenticated remote code execution. The flaw stems from insufficient user input validation and allows the operators to drop malware without any credentials, making it a dangerous entry point for IoT compromise. Once inside, the modular malware can pivot to DVRs, video management platforms, Android-based devices, and Linux systems running on ARM, MIPS, PowerPC, SuperH, x86, and x86_64 architectures.

Beyond raw exploitation, C0XMO leverages a Python-based scanner that installs packages like requests, paramiko, and beautifulsoup4 to crawl the internet on common ports such as 22, 23, 80, 443, 7547, 8080, 8443, and 8888. Targets are probed for weak SSH and Telnet credentials via brute-force, and the script detects CPU architecture before deploying a matching C0XMO binary. Organizations can audit their own exposure by running a port scanner to identify which of these services are internet-facing, and employees should test their credentials against known leaks using a password checker to rule out reused or weak logins. The persistence mechanism is aggressive: binaries are copied to hidden paths like /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys, with cron jobs relaunching the payload every 15 minutes and shell startup files modified for automatic execution.

Functionally, C0XMO remains a DDoS platform with 19 attack methods, including UDP, TCP, SYN, and ICMP floods, "ping of death," NTP and Memcached amplification, Discord voice UDP floods, and Valve-specific floods. Its most distinctive behavior, however, is competitive: the malware enumerates running processes to detect rival botnet clients, red-team frameworks, and network services that could interfere with its operations, then terminates them and removes their persistence, including cron jobs, init scripts, system services, and shell profile entries. During one campaign, the botnet targeted a Japanese technology company while the command-and-control source IP resolved to a device in Germany, highlighting the cross-border, decentralized nature of modern IoT threats and underscoring the need for continuous WHOIS lookup reconnaissance when investigating suspicious infrastructure.