www.fortinet.com Open in urlscan Pro
2a05:d014:f3c:6c01:8589:ad97:29df:f3e  Public Scan

Form analysis
1 forms found in the DOM

GET /blog/search

<form class="b3-searchbox__form" action="/blog/search" method="get">
  <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
  <button class="b3-searchbox__icon" aria-label="Search" type="submit">
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
        fill="#fff">
      </path>
    </svg>
  </button>
</form>

Text Content

Blog
 * Categories
   * Business & Technology
   * FortiGuard Labs Threat Research
   * Industry Trends
   * Partners
   * Customer Stories
   * PSIRT Blogs
 * Business & Technology
 * FortiGuard Labs Threat Research
 * Industry Trends
 * Partners
 * Customer Stories
 * PSIRT Blogs
 * CISO Collective
 * Subscribe





FortiGuard Labs Threat Research


NEW “GOLDOON” BOTNET TARGETING D-LINK DEVICES

By Cara Lin and Vincent Li | May 01, 2024
 * Article Contents
 * Dropper
 * Downloader
 * Goldoon
   Autorun MethodsC2 Connection and Behavior
   Attack Methods
 * Conclusion
   Fortinet Protections
 * IOCs
   C2
   Files

By Cara Lin and Vincent Li | May 01, 2024

Affected Platforms: D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware
1.04b12 and earlier
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High

In April, FortiGuard Labs observed a new botnet targeting a D-Link vulnerability
from nearly a decade ago, CVE-2015-2051. This vulnerability allows remote
attackers to execute arbitrary commands via a GetDeviceSettings action on the
HNAP interface. As a result, an attacker can create a crafted HTTP request with
a malicious command embedded in the header.

Our IPS signature captured attempts to exploit the CVE-2015-2051 vulnerability
to propagate a new botnet that we have named “Goldoon.” Figure 1 shows the
attack packet. If a targeted device is compromised, attackers can gain complete
control, enabling them to extract system information, establish communication
with a C2 server, and then use these devices to launch further attacks, such as
distributed denial-of-service (DDoS). Our telemetry data also indicates that
this botnet activity spiked in April, almost doubling the usual frequency.

In this article, we will provide detailed insights into the propagation and
actions of the Goldoon botnet.


Figure 1: CVE-2015-2051 payload




Figure 2: IPS signature telemetry


DROPPER

The attackers initially exploit CVE-2015-2051 to download a file “dropper” from
“hxxp://94[.]228[.]168[.]60:8080.” The script is programmed to automatically
download, execute, and clean up potentially malicious files across various Linux
system architectures, including aarch64, arm, i686, m68k, mips64, mipsel,
powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC. Each
downloaded file, named “goldoon,” is executed immediately after its download and
permission adjustment. After execution, the script removes the executed file and
then deletes itself to erase any trace of its activity, thereby enhancing its
stealth.


Figure 3: Script file "dropper"


DOWNLOADER

The primary role of the “i686-linux-gnu” downloaded from the dropper is to get
the botnet file. It first employs the XOR key, “YesItsAnAntiHoneypotBaby,” to
decrypt the specific strings “linux” and “i686-linux-gnu.” After decoding, it
attaches them to “/bins” to construct the full Uniform Resource Identifier
(URI). It uses a fixed header, “User-Agent: FBI-Agent (Checking You),” to get
the ultimate payload.


Figure 4: XOR function and key for decoding URI




Figure 5: Hard-coded header




Figure 6: Packet capture for downloading Goldoon

Any attempt to open the targeted URI using a web browser will lead to the error
message shown in Figure 7.


Figure 7: Error message

Finally, it iterates through a set of paths, modifying each file it can write to
and then deleting those files after modification. This is another cleanup
mechanism to cover its tracks in a compromised system.


Figure 8: Erase trace


GOLDOON

Through analyzing the malware, we found that it has the following behaviors:

 * Initializes required arguments
 * Sets autorun to persist in the victim device
 * Establishes a persistent connection with its Command and Control (aka, C2)
   server
 * Waits for commands from the C2 server to launch related behaviors

Goldoon first initializes some required arguments for establishing a connection.
For example, it uses “WolfSSL” for traffic encryption and sets the Google DNS
server (i.e., “8.8.8.8”, “8.8.4.4”) as a DNS resolver. This allows the malware
to carry through its attack.


Figure 9: Initialize DNS Server


AUTORUN METHODS

There are ten different autorun methods, each aiming to execute malware while
the victim’s computer is starting up. We can classify them into the following
types: Boot Execution, Daemon, and Logon Execution.

The malware can execute itself through Linux booting initialize files or
applications, such as “/etc/rc.local,” “crontab,” etc.


Figure 10: Boot Execution with Crontab

Otherwise, it can be created as a daemon named “goldoon.server” and later enable
itself to persist in the victim’s computer.


Figure 11: Daemon by the Name of "goldoon.server"

In addition, the malware can also execute automatically as soon as the victim
logs on to the compromised device.

Autorun Type

Autorun Method

Boot Execution

/etc/rc.local

/etc/init.d/startup_script

/etc/init.d/S99startup

crontab

/etc/profile

Daemon

/etc/systemd/system/goldoon.service

/etc/inittab

Logon Execution

~/.bashrc

~/.config/autostart/goldoon.desktop

/etc/xdg/autostart/goldoon.desktop

Table 1: Autorun Method


C2 CONNECTION AND BEHAVIOR


The Goldoon malware continuously tries to connect to its C2 server until a
connection is established. It also records information about the targeted
system, such as user name, etc.


Figure 12: C2 Connecting Stage




Figure 13: Get Victim System Information

Once completed, the Goldoon malware receives packets from the C2 server. These
contain commands for follow-up actions.


Figure 14: Reading and Handling Packet

The packet has seven cases that are set off by the C2 server. Two of them have
obviously malicious purposes. One executes commands through “/bin/bash -c” on
the victim host, and the other triggers different DoS attacks.


Figure 15: Command Execution


ATTACK METHODS

According to our analysis, this malware contains an astounding 27 different
methods related to various attacks.

Protocol

Attack Method

ICMP

ICMP Flooding

TCP

TCP Flooding, XMAS Attack, etc.

UDP

UDP Flooding

DNS

DNS Flooding

HTTP

HTTP Bypass, HTTP Flooding, etc.

Other

Minecraft DDoS Attack

Table 2: Attack Methods

Take a TCP SYN flooding attack as an example. The malware first gathers
information about the target, such as its IP and port, and even checks whether
the target IP is IPv6.


Figure 16: TCP SYN Flooding Attack Arguments

Goldoon can launch DoS attacks through common protocols, including the game
Minecraft. The malware uses various packets to launch a DoS attack, especially
for attacks through TCP, which includes more than ten types of packets.


Figure 17: Commands for Attack Methods

Because some of these methods are empty, such as “http_exploit,” “http_xflow,”
“http_pps,” and “http_cps,” we deduce that the attacker may have an ongoing
development of the malware.


CONCLUSION

While CVE-2015-2051 is not a new vulnerability and presents a low attack
complexity, it has a critical security impact that can lead to remote code
execution. Once attackers successfully exploit this vulnerability, they can
incorporate compromised devices into their botnet to launch further attacks.
FortiGuard Labs has identified one such new botnet, “Goldoon,” that is
exploiting this vulnerability, reminding us that botnets continue to evolve and
exploit as many devices as possible. We strongly recommend applying patches and
updates whenever possible because of the ongoing development and introduction of
new botnets.


FORTINET PROTECTIONS

The malware described in this report is detected and blocked by FortiGuard
Antivirus as:

BAT/Agent.G!tr.dldr
ELF/Agent.JL!tr.dldr
ELF/Agent.GLN!tr
POWERSHELL/Agent.G!tr.dldr
W64/Agent.GLN!tr


FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus
service. The FortiGuard AntiVirus engine is part of each of these solutions. As
a result, customers who have these products with up-to-date protections are
protected.

The FortiGuard Web Filtering Service blocks the C2 server.

FortiGuard Labs provides IPS signatures against attacks exploiting the following
vulnerability:

CVE-2015-2051: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution

We also suggest that organizations go through Fortinet’s free cybersecurity
training module: Fortinet Certified Fundamentals. This module is designed to
help end users learn how to identify and protect themselves from phishing
attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block
these attacks by aggregating malicious source IP data from the Fortinet
distributed network of threat sensors, CERTs, MITRE, cooperative competitors,
and other global sources that collaborate to provide up-to-date threat
intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your
organization, please contact our Global FortiGuard Incident Response Team.


IOCS


C2


94[.]228[.]168[.]60


FILES

66f21251d7f8c58316f149fec104723beb979a1215ad4e788d83f0ee6fd34696
712d9abe8fbdff71642a4d377ef920d66338d73388bfee542f657f2e916e219c
d7367d41d19baa4f1022f8eb47f7ff1e13f583265c7c26ab96d5f716fa0d61ee
fdf6dae772f7003d0b7cdc55e047434dbd089e0dc7664a3fae8ccfd9d10ece8c
aa9e6006bce7d0b4554165dba76e67c4a44d98090c9e6ac9f3dca726f6e9adbf
fc44018b7432d9e6a1e98f723b0402101fa6e7483d098b10133aac142c0a4a0b
e7b78f16d0dfc91b4c7e8fd50fc31eba1eb22ec7030af9bf7c551b6019c79333
0e6eb17664943756cab434af5d94fcd341f154cb36fc6f1ef5eb5cfdce68975f
9af8720766c5f3978718c026c2263801b08634443c93bd67022c56c6ef531ef3
df71219ba6f5835309479b6e3eaca73b187f509b915420656bfe9a9cc32596c2
48130a7c09a5c92e15b3fc0d2e1eb655e0bd8f759e01ba849f7734e32dbc2652
8eb9c1eaecd0dcdd242e1bc8c62a1052915b627abe2de8ce147635fb7da3bfcc
b050a1ff0d205f392195179233493ff5b6f44adc93fe0dba1f78c4fe90ebcc46
ffd2d3888b6b1289e380fa040247db6a4fbd2555db3e01fadd2fe41a0fa2debc
88cea61218bdeea94537b74c67873e75b8ada6d050a30d311569c3118d161c46
115e15fbee077a9e126cc0eb349445df34cc9404245520c702fadc5f75b6f859
b10e47db989e29ace6c23ed15e29f313993f95e5e615711060881dfa84618071
037331ab84a841b9d3cfb6f8797c1695e2dc0a2cdcc3f8f3c794dfaa50bcf0df
5631980fab33525f4de1b47be606cd518403f54fa71b81186f02dbf7e9ed0004
246142a5e3f3d3f84d8b38f98ff6897b03628e06e31016b8fafc9eb8c2b6201d
3123a458a6346fd14c5bd7d41cda6c9c9bdabc786366a9ab3d5e7c00132ff835
45bf2c9c6628d87a3cb85ee78ae3e92a09949185e6da11c41e2df04a53bb1274
c81cfe4d3b98d0b28d3c3e7812beda005279bc6c67821b27571240eba440fa49


Tags:

botnet


RELATED POSTS

FortiGuard Labs Threat Research

FORTIGUARD LABS TELEMETRY – ROUND UP OF 2015 AND 2016 IOT THREATS (PART 4) –
DVR/NVR DEVICES



FortiGuard Labs Threat Research

FORTIGUARD LABS TELEMETRY – ROUNDUP AND COMPARISON OF 2015 AND 2016 IOT THREATS



FortiGuard Labs Threat Research

DEFENDING AGAINST THE NEW VPNFILTER BOTNET


 * 
 * 
 * 
 * 
 * 
 * 

NEWS & ARTICLES

 * News Releases
 * News Articles

SECURITY RESEARCH

 * Threat Research
 * FortiGuard Labs
 * Threat Map
 * Ransomware Prevention

CONNECT WITH US

 * Fortinet Community
 * Partner Portal
 * Investor Relations
 * Product Certifications

COMPANY

 * About Us
 * Exec Mgmt
 * Careers
 * Training
 * Events
 * Industry Awards
 * Social Responsibility
 * CyberGlossary
 * Sitemap
 * Blog Sitemap

CONTACT US

 * (866) 868-3678

Copyright © 2024 Fortinet, Inc. All Rights Reserved

Terms of Services Privacy Policy | Cookie Settings


COOKIE PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * FUNCTIONAL COOKIES


 * ADVERTISING COOKIES


YOUR PRIVACY

A website may store or retrieve certain information about your browser by using
cookies. Cookies store information about how a visitor interacts with a website.
The information may be about you, your preferences, your browser, or may be used
just to make the website function. We allow certain advertising and analytics
partners to collect information from our site through cookies and similar
technologies to deliver ads which are more relevant to you, and assist us with
advertising-related analytics (e.g., measuring ad performance, optimizing our ad
campaigns). This may be considered "selling" or "sharing” / disclosure for
targeted online advertising under certain laws. To opt out of these activities,
move the toggles for "Performance" and "Advertising" to the left and press
"Confirm My Choices." You can also click on the different category headings if
you would like to read more about the cookies that we use, and adjust your
preferences. Please note that your choice will apply only to your current
browser/device. You can choose not to allow some types of cookies; however,
please note that blocking some categories of cookies may impact your experience
of the site. You can visit our Privacy Policy for more information. privacy
policy


STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the basic functionality of the website. The
website would not work without these cookies, so they cannot be switched off in
our systems. You can set your browser to block or alert you about these cookies,
but some parts of the site will not work.


PERFORMANCE COOKIES

Performance Cookies


These cookies help us collect certain data, such as count visits and traffic
sources, so that we can measure the performance of our site, improve the
content, and build better features that enhance your experience. They help us to
know which pages are the most and least popular and see how visitors move around
the site. They also allow us to measure the effectiveness of our ads on other
sites.


FUNCTIONAL COOKIES

Functional Cookies


These cookies allow our website to remember your preferences and choices made on
the website, such as region and language, which help us provide enhanced
functionality and personalization. These cookies may be set by us or by third
party providers whose services we have added to our pages. If you disable these
cookies, then some or all of these features may not function properly.


ADVERTISING COOKIES

Advertising Cookies


These cookies may be set through our website by our advertising partners, and
use information uniquely identifying your browser and internet device to build a
profile of your interests and show you relevant ads on other websites. If you
disable these cookies, you will experience less targeted advertising.


BACK BUTTON BACK

Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All



COOKIE SETTINGS

By clicking "Accept All", you are consenting to the use of cookies on your
device to enhance site functionality, analyze site usage, and assist in our
marketing efforts. This includes the use of cookies and similar technologies to
show you personalized advertising on other websites through our partners. To
accept only necessary cookies, select “Reject All.” You can visit the Cookie
Settings link, which contains details on specific cookies, categories, and
preference options. Your choice will apply only to your current browser/device.
Please also see our Privacy Policy for more information on how we process
personal data.privacy policy

Reject All Accept All
Cookie Settings