Attacks with the novel Goldoon botnet have been deployed against vulnerable D-Link DIR-645 routers impacted by the almost 10-year-old critical arbitrary command execution bug, tracked as CVE-2015-2051, to facilitate further compromise, with escalating botnet activity recorded since April 9, according to The Hacker News.
Exploitation of the vulnerability has been conducted to enable dropper script retrieval for downloading the next-stage payload tailored to various Linux architectures, which would then inject the Goldoon malware on the compromised device before deleting itself to evade detection, a report from Fortinet FortiGuard Labs revealed. Nearly 30 various techniques are then used by Goldoon malware to allow distributed denial-of-service flood attacks, researchers said.
Such findings come amid a Trend Micro report detailing the growing prevalence of hacked routers being rented out to other cybercriminal operations.
"Internet routers remain a popular asset for threat actors to compromise since they often have reduced security monitoring, have less stringent password policies, are not updated frequently, and may use powerful operating systems that allows for installation of malware such as cryptocurrency miners, proxies, distributed denial of service (DDoS malware), malicious scripts, and web servers," said Trend Micro.
