C0XMO Propose Change

According to FortiGuard Labs, C0XMO is a newly identified Gafgyt variant that propagates by exploiting CVE-2021-27137 in DD-WRT routers, enabling remote attackers to control vulnerable systems. Unlike traditional Gafgyt, C0XMO modularizes its lateral movement into a standalone Python script, allowing it to efficiently target multiple Linux architectures. The malware is written in both Python and compiled ELF binaries, and features persistence, competitor process termination, and a broad set of DDoS attack methods. Its architecture is more advanced than typical Gafgyt, with separate scanning and propagation components, extensive exploitation capabilities, and improved scalability for botnet deployment.

References

There is no Yara-Signature yet.