Cybersecurity researchers have been calling attention to malware campaigns targeting the security flaws of the TBK Digital Video Recorder (DVR) and four faith routers, ropeing the devices into a new botnet called the Rondodox.
Vulnerabilities in question include CVE-2024-3721, a moderately radical command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRS, and CVE-2024-12856, an operating system (OS) command injection bug affecting 4-fest router models F3X24 and F3X36.
Many of these devices are installed in critical environments such as retail stores, warehouses, and small offices, and have not been monitored for many years. It makes them an ideal target – it’s easy to exploit, difficult to detect, and is usually exposed directly to the internet via outdated firmware or misunderstood ports.
It is worth noting that all three security flaws have been repeatedly weaponized by threat actors in recent months to deploy various Mirai Botnet variants.
“both [the security flaws] “It’s publicly disclosed and actively targeted, poses serious risks to device security and overall network integrity,” said Vincent Li, a researcher at Fortinet Fortiguard.
The cybersecurity company said it first identified Rondo Dox’s ELF binaries in September 2024, allowing malware to mimic traffic from gaming platforms or VPN servers flying under the radar.
It’s not just the device acquisition that makes Rondodox particularly dangerous. This is how an attacker can reuse that access. Instead of using infected devices as typical botnet nodes, weaponize them as stealth proxies to amplify DDOS-for-hire campaigns that hide command-and-control traffic, carry out layered fraud, and fuse financial fraud with infrastructure disruption.
Analysis of the Rondo Dox Artifacts shows that it was first distributed to target Linux-based operating systems running on ARM and MIPS architectures before being distributed via shell script downloaders that can target other Linux architectures such as Intel 80386, MC68000, MIPS R3000, PowerPC, Superh, Armmpact, X86-64, and AARCH64.
When launched, shell scripts tell victim hosts to ignore SIGINT, SIGQUIT, and SIGTEM signals used to terminate processes on operating systems like UNIX, and check for written paths across various paths such as /DEV, DEV /SHM, victim user home directory, MNT, /MNT, /run //0, /var /run //tmp.
The final step involves downloading the Rondodox malware and running it on the host, clearing the command execution history and clearing traces of malicious activity. The botnet payload sets up machine persistence so that it starts automatically following a system restart.
It is also designed to scan a list of running processes and terminate processes related to network utilities (such as WGET and CURL), system analysis tools (such as Wireshark and GDB), or other malware (such as cryptographic agents or redtail variations).
This approach reflects the growth trends in botnet designs where threat actors use multi-architecture droppers, DOH-based C2 resolution, and bypassing XOR encrypted payloads. As part of the broader category of evasive Linux malware, Rondodox sits alongside threats such as Last Bots and Moji, forming a new wave of adaptive botnets built to take advantage of IoT hygiene and weak router hardening.
Additionally, Rondodox scans several common Linux executable directories, such as /usr/sbin, /usr/local/bin, and /usr/local/sbin, and modify legal executables with random characters with the intent to hamper recovery efforts. The changed file names are listed below –
iptables -jsujpf ufw -nqqbsc passwd -ahwdze chpasswd -erghx shutdown -hhrqwk poweroff -dcwkkb halt -cjtzgw reboot -gaajct
Once the setup process is complete, the malware will contact an external server (83.150.218[.]93) Receive commands that use HTTP, UDP, and TCP protocols to perform distributed deny (DDOS) attacks on a particular target.
“To avoid detection, we disguise malicious traffic by emulating popular games and platforms such as Valve, Minecraft, Dark and Darker, Darez, Fortnite, and GTA.
“Beyond gaming and chat protocols, Rondox can also mimic custom traffic from tunnels and real-time communication services such as Wire Guard, OpenVPN variants (such as OpenVPNauth, OpenVPNCRYPT, OpenVPNTCP), Stun, DTLS, RTC, and more.”
If you’re impersonating traffic related to a legitimate tool, the idea is to blend in with normal activity and challenge defenders to detect and block it.
“Rondodox is a sophisticated emerging malware threat that employs advanced evasion techniques, including anti-analytical measurements, XOR-encoded configuration data, custom built libraries, and robust persistent mechanisms,” Li said. “These features allow them to remain undetected and allow them to maintain long-term access to compromised systems.”
Source link
