Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO

Description

A new Gafgyt botnet variant named C0XMO has been discovered that spreads by exploiting a stack buffer overflow vulnerability in DD-WRT router firmware. Unlike earlier versions, this malware separates its lateral movement capabilities into a standalone Python script, enabling more efficient targeting of various system architectures including ARM, MIPS, PowerPC, and x86. The malware establishes persistence through cron jobs and shell profile modifications, eliminates competing botnets, and supports 19 different DDoS attack methods. Its scanner component performs weak-credential brute-force attacks on Telnet and SSH services while also exploiting multiple HTTP-based vulnerabilities and Android Debug Bridge unauthorized access. The malware connects to command-and-control infrastructure and demonstrates significantly more sophisticated architecture compared to traditional IoT botnets.