New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw

A newly discovered botnet named Goldoon has emerged, specifically targeting D-Link routers by exploiting a critical security flaw known as CVE-2015-2051. This flaw, with a high CVSS score of 9.8, impacts D-Link DIR-645 routers, allowing malicious actors to execute arbitrary commands remotely via specially crafted HTTP requests. Fortinet FortiGuard Labs researchers, Cara Lin and Vincent Li, have highlighted the severity of this vulnerability, emphasizing that if a D-Link router is compromised, attackers can gain complete control over the device. This control enables them to extract sensitive system information, establish communication channels with a command-and-control server, and utilize these compromised routers to launch further malicious activities, including distributed denial-of-service attacks.

Telemetry data from a prominent network security company indicates a noticeable surge in Goldoon botnet activity around April 9, 2024. The attack typically starts with the exploitation of CVE-2015-2051, wherein a dropper script is retrieved from a remote server. This script is responsible for downloading the Goldoon malware onto various Linux system architectures, such as aarch64, arm, i686, m68k, mips64, mipsel, powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC. Once the payload is executed on the compromised router, it acts as a downloader for the Goldoon malware from another remote endpoint.

Interestingly, the Goldoon dropper script removes the executed file and then deletes itself, a tactic employed to cover up its tracks and evade detection. If someone attempts to access the endpoint directly through a web browser, they are greeted with an error message meant to deter investigation. In addition to setting up persistence on the compromised routers through various autorun methods, Goldoon establishes contact with a C2 server to await further instructions. The botnet is capable of employing an impressive arsenal of 27 different methods to execute DDoS flood attacks, utilizing protocols like DNS, HTTP, ICMP, TCP, and UDP.

Security Officer Comments:
Trend Micro's analysis indicates that cybercriminals not only exploit compromised routers for their own activities but also rent them out to other criminals and potentially make them available for commercial residential proxy services. These routers, particularly Ubiquiti EdgeRouters, are utilized for a wide range of malicious purposes, including SSH brute forcing, pharmaceutical spam, NTLMv2 hash relay attacks, proxying stolen credentials, cryptocurrency mining, spear phishing, and more. Moreover, another threat actor has been observed infecting Ubiquiti routers with malware named Ngioweb, turning them into exit nodes for a commercially available residential proxy botnet. Overall, routers remain highly attractive targets for threat actors due to factors such as reduced security monitoring, lax password policies, infrequent updates, and powerful operating systems capable of running various types of malware.

Suggested Corrections:
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.