“Goldoon” Botnet Exploits Unpatched D-Link Devices

Security researchers at FortiGuard Labs have uncovered a new botnet campaign. Dubbed “Goldoon,” this botnet is ruthlessly exploiting a nearly decade-old vulnerability in D-Link devices to commandeer them for malicious activities, primarily Distributed Denial-of-Service (DDoS) attacks.

The CVE-2015-2051 vulnerability affects the Home Network Administration Protocol (HNAP) interface of D-Link devices, allowing attackers to send a GetDeviceSettings action packed with malicious commands. Despite being discovered back in 2015, this vulnerability has resurfaced as the gateway for the Goldoon botnet to breach network devices.

The attack begins with the exploitation of CVE-2015-2051 to deploy a “dropper” script from a malicious server. This script is designed to be self-erasing to avoid detection and is capable of operating across a wide range of system architectures. Once the device is compromised, the dropper downloads and executes a file, setting the stage for further malicious activities.

Once established, the Goldoon malware engages in several alarming behaviors:

• Initial Setup: It initializes necessary configurations for network communication and sets up autorun capabilities to ensure persistence on the infected device.
• C2 Communication: The malware establishes a robust connection with a command and control (C2) server, enabling the attackers to send commands and control the compromised devices remotely.
• Attack Launch: The botnet is capable of initiating a variety of distributed denial-of-service (DDoS) attacks, utilizing methods such as TCP flooding, ICMP flooding, and more specialized attacks like Minecraft DDoS, affecting both individual targets and larger networks.

Goldoon uses multiple autorun methods to ensure it remains active on infected devices. These methods include modifications to boot execution scripts, daemon creation, and logon scripts, demonstrating the malware’s sophisticated design to maintain persistence and evade removal.

Attack Methods

The botnet’s versatility is further showcased by its extensive array of attack techniques, encompassing 27 different methods. These include various flooding attacks over ICMP, TCP, UDP, and DNS protocols, alongside more nuanced techniques aimed at specific applications or services.

The rise of the Goldoon botnet starkly demonstrates that old, unpatched vulnerabilities remain highly dangerous. It’s critical to update your D-Link devices as soon as possible. Additionally, consider:

• Network Monitoring: Implement network monitoring solutions to detect anomalous traffic, which could signal an active infection.
• Strong Firewall Rules: Limit exposure of devices like D-Link routers to the internet unless absolutely necessary.
• Stay Informed: Keep up-to-date with the latest security bulletins and patches to stay ahead of evolving threats.