COXMO Botnet Variant: New Advanced Threat Exploits Router Firmware

Security researchers recently uncovered a dangerous new threat targeting internet-connected infrastructure across the globe. Malware analysts discovered a novel COXMO botnet variant circulating actively within the threat landscape. This malicious software stems from a notorious family of distributed denial-of-service threats. However, this updated iteration introduces modular tactics that increase its propagation speed dramatically. Consequently, network administrators must assess their local edge devices immediately to prevent unauthorized infiltration.

The Infiltration Path

According to a recent Gafgyt malware analysis, the threat actors achieve initial access by targeting older software vulnerabilities. For example, the campaign frequently exploits an established stack buffer overflow flaw found in common router firmware. This specific vulnerability is tracked globally as CVE-2021-27137. As detailed in the official FortiGuard Labs threat documentation:

“The vulnerability occurs when the SSDP parser mishandles oversized ST:uuid: values in specially crafted M-SEARCH requests sent via UDP port 1900.”

Furthermore, once the attack succeeds, the compromised host downloads a payload compiled for the system’s exact CPU architecture. Therefore, the malware can smoothly infect a massive variety of smart appliances and network equipment.

Achieving Long-Term Persistence on Compromised Hosts

Once the payload executes, it immediately sets up deep persistence mechanisms to survive system reboots. Initially, the binary checks its own execution path through internal system directories. Next, it generates multiple hidden files across temporary storage areas like /tmp/.sys and /dev/shm/.sys. To maintain continuous operational control, the malware configures a series of automated cron tasks. Specifically, the code schedules these local cron jobs to run every 15 minutes without user interaction. Additionally, the virus appends execution commands directly to several shell profile files, such as .bashrc and .profile. Thus, the COXMO botnet variant successfully establishes an exceptionally durable foothold inside the operating system.

Hunting and Eliminating Rival Botnets

After establishing its primary foothold, the malware actively eliminates competing threats from the compromised system. To accomplish this, the program scans all running processes inside the native /proc directory. It then compares every active process name against a heavily customized internal blocklist. This blocklisting approach allows the threat to wipe out rival software strains cleanly. As highlighted in the technical brief:

“It not only deletes rival malware binaries but also tries to remove associated persistence mechanisms such as cron jobs, rc.local, init.d services, system services, and shell profile scripts.”

Consequently, the virus secures absolute control over the device’s computing resources.

Secure Command Handshakes and Distributed Attacks

Once the local environment is completely secured, the bot establishes an outbound network connection to its command server. To verify its identity, the software executes a complex, multi-phase cryptographic handshake. This transaction requires the transmission of specific hard-coded secrets and hexadecimal magic strings. Following a successful greeting exchange, the endpoint running the COXMO botnet variant enters an interactive tasking loop to await instruction.

Furthermore, the centralized server can coordinate massive distributed denial-of-service attacks using 19 distinct flood methods. These aggressive capabilities include UDP bypass floods, TCP floods, and advanced protocol amplification tactics. Alternatively, the operators can launch highly disruptive application-layer attacks like HTTP request storms. Therefore, a cluster of infected devices can easily overwhelm target corporate web resources.

The Independent Script-Based Lateral Movement

Unlike traditional malicious software platforms, this threat separates its scanning capabilities from the primary core binary. Instead, the application fetches an independent Python script from its hosting infrastructure to manage lateral movement. This automated scanning module installs several external network packages to process outbound web requests efficiently. Next, the script initiates multi-threaded background scanning routines across randomized public IP addresses.

Moreover, the module deploys a broad suite of dangerous exploits to compromise secondary endpoints. These targets include vulnerable routers, database platforms, and exposed Android Debug Bridge interfaces. The official report emphasizes the significance of this design:

“The distinction between its scanning and propagation parts underscores an evolution towards more adaptable and scalable botnet deployment strategies.”

Consequently, organizations must enforce robust credential policies and continuously patch their outward-facing firmware to defeat this advanced threat.