Goldoon | |
Type of Malware | Botnet |
Date of initial activity | April 2024 |
Motivation | Trend Micro said it observed the routers being used for different purposes, such as Secure Shell (SSH) brute forcing, pharmaceutical spam, employing server message block (SMB) reflectors in NTLMv2 hash relay attacks, proxying stolen credentials on phishing sites, multi-purpose proxying, cryptocurrency mining, and sending spear phishing emails. |
Attack Vectors | Exploitation of CVE-2015-2051 |
Tools | BAT/Agent.G!tr.dldr |
Targeted System | Linux |
Overview
Researchers have unearthed a newly discovered botnet named Goldoon, which exploits a long-standing vulnerability in unpatched D-Link routers. This flaw, identified as CVE-2015-2051, is characterized by a low attack complexity yet poses a critical security risk, allowing remote execution of code on compromised hardware, according to a report by cybersecurity firm Fortinet.
“Once attackers successfully exploit this vulnerability, they can enlist compromised devices into their botnet for launching subsequent attacks,” Fortinet stated. The botnet takes its name from a component known as goldoon.server found within the spreading malware.
Goldoon is capable of gathering intelligence about the targeted systems and is employed by hackers to orchestrate distributed denial-of-service (DDoS) attacks, a typical function of botnets.
The vulnerability in D-Link routers was addressed through a firmware update released in the first half of 2015. However, the persistence of unpatched D-Link hardware has recently attracted scrutiny from researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In April, the agency highlighted ongoing exploits targeting older D-Link devices by threat actors.
Targets
D-Link routers with a nearly decade-old critical security flaw (CVE-2015-2051)
How they operate
It begins with exploiting CVE-2015-2051 to retrieve a dropper script from a remote server, responsible for downloading the next-stage payload designed for various Linux system architectures, such as aarch64, arm, i686, m68k, mips64, mipsel, powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC.
Once launched on the compromised device, the payload acts as a downloader fetching the Goldoon malware from a remote endpoint. Subsequently, the dropper removes the executed file and self-deletes to cover its tracks and evade detection.
Direct access to the endpoint via a web browser triggers an error message: “Sorry, you are an FBI Agent & we can’t help you 🙁 Go away or I will kill you :)”
Goldoon ensures persistence on the host using various autorun methods and establishes communication with a command-and-control (C2) server to receive instructions for subsequent actions. This includes employing “27 different methods” to execute DDoS flood attacks across DNS, HTTP, ICMP, TCP, and UDP protocols.
Once attackers exploit this vulnerability, they can enlist compromised devices into their botnet for launching additional attacks. Goldoon also captures system information and is utilized by hackers to orchestrate distributed denial-of-service (DDoS) attacks, a common objective for botnets.
