Cybersecurity researchers are sounding the alarm about a new malware campaign dubbed RondoDox, which is targeting critical vulnerabilities in TBK digital video recorders (DVRs) and Four-Faith routers. The specific flaws exploited include CVE-2024-3721 in TBK DVRs (models DVR-4104 and DVR-4216) and CVE-2024-12856 in Four-Faith routers (models F3x24 and F3x36). These devices are often found in vulnerable settings like retail stores and small offices, where they may remain unmonitored and exposed to the internet for extended periods, making them prime targets for exploitation. It’s important to note that these particular security defects have been repeatedly leveraged by threat actors in the past to deploy different variants of the well-known Mirai botnet, highlighting the ongoing risk they pose.
What makes RondoDox particularly concerning is its sophisticated approach to leveraging compromised devices. Unlike typical botnets that use infected nodes solely for direct attacks, RondoDox repurposes these devices as stealth proxies. This allows attackers to mask their command-and-control (C2) traffic, execute multi-layered scams, and amplify DDoS-for-hire campaigns that blend financial fraud with infrastructure disruption. This innovative tactic enables the botnet to fly under the radar, making it harder for security teams to detect and mitigate its activities.
The deployment of RondoDox begins with an initial distribution targeting Linux-based operating systems on ARM and MIPS architectures.
This then evolves into a more versatile shell script downloader capable of infecting a broader range of Linux architectures, including Intel 80386, x86-64, and AArch64. Once executed, the shell script implements several anti-analysis and persistence mechanisms: it ignores common termination signals, checks for writable paths to ensure successful deployment, and clears command execution history to hide its traces. The botnet payload then establishes persistence to automatically relaunch after a system reboot, ensuring long-term access for the attackers.
Furthermore, RondoDox is designed to maintain operational stealth by actively scanning for and terminating processes related to network utilities (like wget and curl), system analysis tools (such as Wireshark and gdb), and even other malware variants like cryptominers. This aggressive behavior prevents competition for resources and helps the botnet remain undetected. In a more disruptive move, it renames legitimate Linux executables (like iptables, ufw, and passwd) with random characters, which can severely hinder recovery efforts for affected systems.
Upon successful setup, the malware connects to an external server to receive commands, primarily to launch distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols.
To further evade detection, RondoDox mimics traffic from popular gaming platforms and applications like Valve, Minecraft, Roblox, and Discord, as well as VPN services such as OpenVPN and WireGuard. This traffic impersonation strategy allows the malicious activity to blend in with legitimate network traffic, making it extremely challenging for security systems to identify and block. This sophisticated malware represents a growing trend in botnet design, leveraging advanced evasion techniques and exploiting poor IoT security practices.
Reference:
