Novel Botnet Exploiting High Severity Vulnerability in D-Link Devices

On 1 May 2024, Fortinet researchers published the technical details of a new botnet they dubbed “Goldoon” targeting a high severity vulnerability in D-Link devices

Context and Technical Details

According to researchers, “If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS). […] telemetry data also indicates that this botnet activity spiked in April, almost doubling the usual frequency”

CVE-2015-2051, originally published in 2015, carries a severity score of 10 and is described by the National Vulnerability Database as follows: “The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.”

Fortinet researchers observed the following behaviors in the Goldoon botnet:

• “Initializes required arguments
• Sets autorun to persist in the victim device
• Establishes a persistent connection with its Command and Control (aka, C2) server
• Waits for commands from the C2 server to launch related behaviors”

Community Impact

Fortinet researchers did not disclose the targets of the Goldoon botnet, or the industries of organizations targeted. As of this writing, no RH-ISAC members have shared any intelligence related to Goldoon, and none of the indicators of compromise (IOCs) shared by Fortinet match any indicators in MISP.  The indicators are included below for review.

The RH-ISAC intelligence team assesses with a high degree of confidence that the Goldoon botnet presents a low level threat to organizations that have deprecated vulnerable D-Link devices as end of life. However, organizations operating vulnerable D-Link routers are strongly advised to implement compensating security controls or deprecate devices to mitigate threat activity targeting the vulnerability.

IOCs

Fortinet researchers provided the following IOCs:

C2

• 94[.]228[.]168[.]60

Files

• 66f21251d7f8c58316f149fec104723beb979a1215ad4e788d83f0ee6fd34696
• 712d9abe8fbdff71642a4d377ef920d66338d73388bfee542f657f2e916e219c
• d7367d41d19baa4f1022f8eb47f7ff1e13f583265c7c26ab96d5f716fa0d61ee
• fdf6dae772f7003d0b7cdc55e047434dbd089e0dc7664a3fae8ccfd9d10ece8c
• aa9e6006bce7d0b4554165dba76e67c4a44d98090c9e6ac9f3dca726f6e9adbf
• fc44018b7432d9e6a1e98f723b0402101fa6e7483d098b10133aac142c0a4a0b
• e7b78f16d0dfc91b4c7e8fd50fc31eba1eb22ec7030af9bf7c551b6019c79333
• 0e6eb17664943756cab434af5d94fcd341f154cb36fc6f1ef5eb5cfdce68975f
• 9af8720766c5f3978718c026c2263801b08634443c93bd67022c56c6ef531ef3
• df71219ba6f5835309479b6e3eaca73b187f509b915420656bfe9a9cc32596c2
• 48130a7c09a5c92e15b3fc0d2e1eb655e0bd8f759e01ba849f7734e32dbc2652
• 8eb9c1eaecd0dcdd242e1bc8c62a1052915b627abe2de8ce147635fb7da3bfcc
• b050a1ff0d205f392195179233493ff5b6f44adc93fe0dba1f78c4fe90ebcc46
• ffd2d3888b6b1289e380fa040247db6a4fbd2555db3e01fadd2fe41a0fa2debc
• 88cea61218bdeea94537b74c67873e75b8ada6d050a30d311569c3118d161c46
• 115e15fbee077a9e126cc0eb349445df34cc9404245520c702fadc5f75b6f859
• b10e47db989e29ace6c23ed15e29f313993f95e5e615711060881dfa84618071
• 037331ab84a841b9d3cfb6f8797c1695e2dc0a2cdcc3f8f3c794dfaa50bcf0df
• 5631980fab33525f4de1b47be606cd518403f54fa71b81186f02dbf7e9ed0004
• 246142a5e3f3d3f84d8b38f98ff6897b03628e06e31016b8fafc9eb8c2b6201d
• 3123a458a6346fd14c5bd7d41cda6c9c9bdabc786366a9ab3d5e7c00132ff835
• 45bf2c9c6628d87a3cb85ee78ae3e92a09949185e6da11c41e2df04a53bb1274
• c81cfe4d3b98d0b28d3c3e7812beda005279bc6c67821b27571240eba440fa49