Date: 06/04/2026
Severity: High
Summary
In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137. Unlike earlier variants, C0XMO uses a separate Python script for lateral movement, improving propagation across different devices and architectures. The malware is delivered through a stack buffer overflow in vulnerable DD-WRT router firmware, triggered by malicious SSDP M-SEARCH requests sent to UDP port 1900. Although the attack targeted a Japanese technology company, the source IP address was traced to Germany. After compromise, the malware was downloaded to the `/tmp/.cache` directory on the affected host. Analysis found malware samples compiled for multiple Linux architectures, including ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80386, and AMD64.
Indicators of Compromise (IOC) List
IP Address : | 217.160.125.125 176.100.37.91 85.215.131.70 |
Hash : | 444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211
9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59
450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685d
d452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b
20042f1efb59c99e3addf822a3e9e5a496f0b701362df038a50a32a9f504a136
7413cbb6eab4d6b10346f71be5dd76d7cf2f4817f7776367b162f83755aefa1f
b6f835ced11059d341222eba11fff3a4672f4de47a3a4d791fad86059a2b06d4
b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799
dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9
ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e8
3ddb67ab079509dd1e7ac77fc4cfed25a271526668c68f8a2221e96a4cc21812
f02b1d8010dac35b007796def0cbd5d0c9414df790e2b55b105c95df2f2ffa91
8fc2d35b66c692d37a85ae9d30dc5c7f06f0b3eaf01112a5a6398a1a0feb3aee
eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386
eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386
41e8e327abbf2ba721be677ad8a416a7295708257b39688a0af03275fb199cec
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("176.100.37.91","85.215.131.70","217.160.125.125") or srcipaddress IN ("176.100.37.91","85.215.131.70","217.160.125.125") |
Detection Query 2 : | sha256hash IN ("ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e8","eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386","3ddb67ab079509dd1e7ac77fc4cfed25a271526668c68f8a2221e96a4cc21812","41e8e327abbf2ba721be677ad8a416a7295708257b39688a0af03275fb199cec","444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211","b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799","9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59","20042f1efb59c99e3addf822a3e9e5a496f0b701362df038a50a32a9f504a136","450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685d","d452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b","7413cbb6eab4d6b10346f71be5dd76d7cf2f4817f7776367b162f83755aefa1f","b6f835ced11059d341222eba11fff3a4672f4de47a3a4d791fad86059a2b06d4","dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9","f02b1d8010dac35b007796def0cbd5d0c9414df790e2b55b105c95df2f2ffa91","8fc2d35b66c692d37a85ae9d30dc5c7f06f0b3eaf01112a5a6398a1a0feb3aee")
|
Reference:
https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo