Cybersecurity researchers are calling consideration to a malware marketing campaign that is concentrating on safety flaws in TBK digital video recorders (DVRs) and 4-Religion routers to rope the units into a brand new botnet known as RondoDox.
The vulnerabilities in query embody CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRs, and CVE-2024-12856, an working system (OS) command injection bug affecting 4-Religion router fashions F3x24 and F3x36.
Many of those units are put in in important environments like retail shops, warehouses, and small places of work, the place they usually go unmonitored for years. That makes them perfect targets—simple to use, exhausting to detect, and normally uncovered on to the web by outdated firmware or misconfigured ports.
It is value noting that each one three safety defects have been repeatedly weaponized by risk actors to deploy totally different Mirai botnet variants in latest months.
“Each [the security flaws] have been publicly disclosed and are actively being focused, posing critical dangers to gadget safety and total community integrity,” Fortinet FortiGuard Labs researcher Vincent Li stated.
The cybersecurity firm stated it first recognized an ELF binary for RondoDox in September 2024, with the malware able to mimicking visitors from gaming platforms or VPN servers flying beneath the radar.
What makes RondoDox particularly harmful is not simply the gadget takeover—it is how the attackers repurpose that entry. As an alternative of utilizing contaminated units as typical botnet nodes, they weaponize them as stealth proxies to cover command-and-control visitors, perform layered scams, or amplify DDoS-for-hire campaigns that mix monetary fraud with infrastructure disruption.
Evaluation of RondoDox artifacts signifies that it was initially distributed to focus on Linux-based working programs operating on ARM and MIPS architectures, earlier than being distributed by way of a shell script downloader that may goal different Linux architectures like Intel 80386, MC68000, MIPS R3000, PowerPC, SuperH, ARCompact, x86-64, and AArch64.
The shell script, as soon as launched, instructs the sufferer host to disregard SIGINT, SIGQUIT, and SIGTERM indicators which can be used to terminate processes in Unix-like working programs, and checks for writable paths throughout numerous paths reminiscent of /dev, /dev/shm, the sufferer person’s residence listing, /mnt, /run/person/0, /var/log, /var/run, /var/tmp, and /information/native/tmp.
Within the closing step, the RondoDox malware is downloaded and executed onto the host, and clears the command execution historical past to clear traces of the malicious exercise. The botnet payload, for its half, proceeds to arrange persistence on the machine to make sure that it is robotically launched following a system reboot.
It is also designed to scan the record of operating processes and terminate any course of associated to community utilities (e.g., wget and curl), system evaluation instruments (e.g., Wireshark and gdb), or different malware (e.g., cryptominers or Redtail variants) in order to take care of operational stealth.
This strategy displays a rising pattern in botnet design the place risk actors use multi-architecture droppers, DoH-based C2 decision, and XOR-encrypted payloads to bypass legacy IDS guidelines. As a part of a broader class of evasive Linux malware, RondoDox sits alongside threats like RustoBot and Mozi, forming a brand new wave of adaptable botnets constructed to use poor IoT hygiene and weak router hardening.
Moreover, RondoDox scans a number of widespread Linux executable directories, reminiscent of /usr/sbin, /usr/bin, /usr/native/bin, and /usr/native/sbin, and renames legit executables with random characters with an intent to inhibit restoration efforts. The modified file names are listed under –
- iptables – jsuJpf
- ufw – nqqbsc
- passwd – ahwdze
- chpasswd – ereghx
- shutdown – hhrqwk
- poweroff – dcwkkb
- halt – cjtzgw
- reboot – gaajct
As soon as the setup course of is full, the malware contacts an exterior server (83.150.218[.]93) to obtain instructions to carry out distributed denial-of-service (DDoS) assaults in opposition to particular targets utilizing HTTP, UDP, and TCP protocols.
“To evade detection, it disguises malicious visitors by emulating fashionable video games and platforms reminiscent of Valve, Minecraft, Darkish and Darker, Roblox, DayZ, Fortnite, GTA, in addition to instruments like Discord, OpenVPN, WireGuard, and RakNet,” Fortinet stated.
“Past gaming and chat protocols, RondoDox may mimic {custom} visitors from tunneling and real-time communication providers, together with WireGuard, OpenVPN variants (e.g., openvpnauth, openvpncrypt, openvpntcp), STUN, DTLS, and RTC.”
In impersonating visitors related to legit instruments, the thought is to mix in with regular exercise and make it difficult for defenders to detect and block it.
“RondoDox is a complicated and rising malware risk that employs superior evasion strategies, together with anti-analysis measures, XOR-encoded configuration information, custom-built libraries, and a strong persistence mechanism,” Li stated. “These capabilities permit it to stay undetected and keep long-term entry on compromised programs.”
