The C0XMO botnet is targeting vulnerable DD-WRT routers in a campaign that goes beyond typical malware infections. Security researchers discovered that the malware not only compromises devices but also actively searches for and removes competing malware already running on infected systems.
The tactic gives attackers exclusive control over compromised devices while helping the botnet grow into a larger and more stable network.
Botnet Exploits Known Router Flaw
Researchers linked the campaign to a variant of the Gafgyt malware family, a botnet that has targeted internet-connected devices for years. The latest activity abuses CVE-2021-27137, a remote code execution vulnerability affecting DD-WRT router firmware.
Once attackers gain access, the malware installs itself and begins communicating with command-and-control infrastructure. The infected device then becomes part of a larger botnet capable of carrying out additional malicious activity.
Although the vulnerability is several years old, many devices remain exposed because owners have not installed available firmware updates.
Malware Eliminates the Competition
What separates the C0XMO botnet from many similar threats is its aggressive effort to remove competing malware.
Researchers found that the malware scans infected systems for rival botnets and malicious processes. When competing malware is detected, C0XMO attempts to terminate those processes and prevent them from regaining control of the device.
This approach allows attackers to dedicate system resources entirely to their own operation. It also reduces conflicts that can occur when multiple malware families attempt to control the same device.
The tactic effectively turns infected routers into exclusive assets for the botnet operators.
Campaign Supports Multiple Architectures
The malware has been compiled for several processor architectures, allowing it to infect a wide range of internet-connected devices.
Researchers observed versions targeting different hardware platforms commonly found in routers, embedded systems, and other network-connected equipment. This flexibility enables the botnet to expand beyond a single device category and increases the number of potential victims.
A separate scanning component helps identify vulnerable targets and supports further propagation across exposed systems.
Old Vulnerabilities Continue to Fuel Botnets
The campaign highlights a recurring problem within the cybersecurity landscape. Threat actors frequently rely on older vulnerabilities because many devices remain unpatched years after security fixes become available.
Routers are particularly attractive targets because they often operate continuously and receive less attention than computers or smartphones. Once compromised, they can provide long-term access and computing resources for botnet operators.
Researchers recommend applying firmware updates, disabling unnecessary remote management features, and replacing default credentials to reduce exposure.
Conclusion
The C0XMO botnet demonstrates how attackers continue to evolve established malware families. By exploiting vulnerable DD-WRT routers and actively removing competing malware, the operators behind the campaign are creating a more efficient and resilient botnet. The activity also serves as a reminder that outdated networking equipment remains a valuable target for cybercriminals long after vulnerabilities become public.
0 responses to “C0XMO Botnet Hijacks Routers and Removes Rival Malware”