A new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures.
The researchers found samples for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures, featuring exploits for DVRs, routers, video management platforms, and Android-based devices.
The botnet was seen targeting a Japanese technology company, but researchers discovered that the source IP address was for a device located in Germany.
Fortinet researchers discovered C0XMO and highlighted its modular design, which allows operators to update its exploitation techniques, add/remove targeted architectures, and expand its lateral movement capabilities independently of the main payload.
Fundamentally, C0XMO remains a malware for launching distributed denial-of-service (DDoS) attacks and supports 19 methods, including UDP/TCP/SYN/ICMP floods, “ping of death,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.
