文章描述了一种名为RondoDox的新型恶意软件,利用CVE-2024-3721和CVE-2024-12856漏洞攻击TBK DVR和Four-Faith路由器设备。该恶意软件具备复杂的持久化机制、反分析能力,并能伪装成合法流量发起DDoS攻击。 2025-7-3 13:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:21 收藏
Affected Platforms: TBK DVR-4104. TBK DVR-4216. Four-Faith router models F3x24. Four-Faith router models F3x36.
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Over the past month, FortiGuard Labs has observed a significant increase in scanning activity, including a new botnet campaign that exploits two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both have been publicly disclosed and are actively being targeted, posing serious risks to device security and overall network integrity.
The botnet responsible for these attacks has been named RondoDox. Unlike widespread variants such as Mirai or Gafgyt, RondoDox is a relatively new and low-profile threat. FortiGuard Labs first identified a similar ELF binary in September 2024. Notably, RondoDox incorporates custom libraries and mimics traffic from gaming platforms or VPN servers to evade detection.
Vulnerability Details
CVE-2024-3721 is a critical vulnerability affecting TBK DVR models, including DVR-4104 and DVR-4216, as of April 12, 2024. The flaw stems from improper handling of the /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ path, where the mdb and mdc parameters can be manipulated to inject OS commands. Successful exploitation allows remote attackers to execute arbitrary commands on affected devices.
Figure 2: CVE-2024-3721 exploit traffic
CVE-2024-12856 impacts Four-Faith router models F3x24 and F3x36. The vulnerability allows authenticated remote attackers to execute arbitrary operating system commands via HTTP by exploiting the apply.cgi interface when modifying the system time.
Figure 3: CVE-2024-12856 exploit traffic
Downloader Analysis
RondoDox was initially distributed to target Linux-based operating systems running on ARM and MIPS architectures. However, recent findings show the emergence of a shell script downloader that suggests the malware is now capable of targeting a broader range of Linux architectures, including Intel 80386, MC68000, MIPS R3000, PowerPC, SuperH, ARCompact, x86-64, and AArch64.
Figure 4: "RondoDox" downloader shell script
The shell script begins by instructing the victim host to ignore several signals, including SIGTTOU, SIGTTIN, SIGTSTP, SIGHUP, SIGPIPE, SIGINT, SIGQUIT, and SIGTERM. It then checks for writable paths such as /dev, /dev/shm, the victim user’s home directory, /mnt, /run/user/0, /var/log, /var/run, /var/tmp, and /data/local/tmp, verifying if any are mounted without the noexec flag as listed in /proc/mounts. Finally, it creates a lib directory inside /tmp, downloads and executes the “RondoDox” malware, and clears the command execution history to evade detection.
RondoDox Analysis
The following analysis focuses on the x86-64 architecture binary named rondo.x86_64.
The RondoDox malware encodes its configuration data using a simple XOR obfuscation algorithm. This includes elements such as file paths and tool filenames. All encoded values can be decrypted using the hexadecimal key 0x21.
Figure 5: XOR-encoded configuration
After decoding its configuration data, RondoDox implements a persistence mechanism to maintain its presence on the victim host.
Figure 6: Persistence method used by modifying file permission and file link
RondoDox modifies file permissions and symbolic links to establish persistence. As shown in Figure 6, the XOR-encoded values byte_51D670 and byte_51D6C0 decode to /etc/init.d/rondo and /etc/rc3.d/S99rondo, respectively. Additionally, the malware embeds a shell script designed to execute its persistence routines on the victim system.
Figure 7: Embedded shell script executing persistence methods
In addition to using init scripts, RondoDox appends its launch command to several system startup files, including /etc/rcS, /etc/init.d/rcS, and /etc/inittab, as well as to both user and root crontab entries. This layered persistence strategy ensures that even if one method is removed or disabled, others remain active to automatically reinstate the botnet upon system reboot.
Figure 8: Persistence methods beyond shell script
Figure 9: Persistence method used by launching “etc/init.d/rcS”
Upon execution, RondoDox retrieves its own process ID and scans the system for specific applications. It looks for keywords associated with network utilities (such as wget and curl), system analysis tools (like Wireshark and gdb), or other malware (e.g., cryptominers or Redtail variants). If any such processes are detected, RondoDox immediately terminates them to evade analysis and maintain operational stealth.
dhpcd |
apcid |
redtail |
xmrig |
miner |
ps |
top |
htop |
pstree |
lsof |
netstat |
ss |
wireshark |
tshark |
ngrep |
dumpcap |
tcpdump |
passwd |
chpasswd |
iptables |
nc |
netcat |
ufw |
gdb |
gdbserver |
cgdb |
strace |
valgrind |
stap |
dtrace |
sysdig |
bpftrace |
scp |
shutdown |
poweroff |
halt |
reboot |
||
Figure 10: Checking the victim host's environment
During analysis of RondoDox, we noticed that the malware writes the email address vanillabotnet@protonmail[.]com to the file tmp/contact.txt. However, no further use of this address has been observed within the malware’s execution flow or command logic.
Figure 11: Adding email to the contact file
Next, RondoDox scans several common Linux executable directories, including:
- /usr/sbin
- /usr/bin
- /usr/local/bin
- /usr/local/sbin
It then renames selected executable files to hardcoded strings of random characters. This action is intended to disrupt critical system functions, including firewall configuration, user account management, and shutdown operations. By corrupting these binaries, the malware impairs system stability and complicates recovery efforts.
Original File Name |
Modified File Name |
Iptables |
jsuJpf |
ufw |
nqqbsc |
passwd |
ahwdze |
chpasswd |
ereghx |
shutdown |
hhrqwk |
poweroff |
dcwkkb |
halt |
cjtzgw |
reboot |
gaajct |
Figure 12: Renaming the executable file to hard-coded characters
After completing its setup routines, RondoDox decodes its command-and-control (C2) server address—83[.]150[.]218[.]93—using the key "rondo", and then initiates a connection to the server.
Figure 13: XOR-Encoded C2 address
Figure 14: Establish the connection with C2
The malware receives commands from its C2 server for subsequent DDoS attacks.
Figure 15: Commands from the C2 server
RondoDox is capable of launching distributed denial-of-service (DDoS) attacks using three primary protocols: HTTP, UDP, and TCP. To evade detection, it disguises malicious traffic by emulating popular games and platforms such as Valve, Minecraft, Dark and Darker, Roblox, DayZ, Fortnite, GTA, as well as tools like Discord, OpenVPN, WireGuard, and RakNet.
For example, when RondoDox receives a command from its C2 server to attack a specific target while impersonating OpenVPN traffic, it crafts packet payloads that include the OpenVPN "magic byte," which begins with \x38, as shown in Figure 17.
Beyond gaming and chat protocols, RondoDox can also mimic custom traffic from tunneling and real-time communication services, including WireGuard, OpenVPN variants (e.g., openvpnauth, openvpncrypt, openvpntcp), STUN, DTLS, and RTC. By impersonating these legitimate services, the malware significantly increases the difficulty for defenders in effectively identifying and blocking its traffic.
Figure 16: Disguise malicious traffic
Figure 17: Disguise attack traffic as OpenVPN traffic
Figure 18: Establishing a connection with a target for a DDoS attack
Conclusion
RondoDox is a sophisticated and emerging malware threat that employs advanced evasion techniques, including anti-analysis measures, XOR-encoded configuration data, custom-built libraries, and a robust persistence mechanism. These capabilities allow it to remain undetected and maintain long-term access on compromised systems.
The malware primarily exploits two known vulnerabilities—CVE-2024-3721 and CVE-2024-12856—highlighting the critical need for timely patching of affected systems. Its use of obfuscation, service mimicry, and multi-layered persistence underscores its growing threat potential.
Ongoing monitoring, threat intelligence sharing, and in-depth behavioral analysis are crucial for comprehending the full extent of RondoDox and for developing effective detection and mitigation strategies.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
BASH/RondoDox.A!tr.dldr
ELF/RondoDox.CTO!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:
CVE-2024-3721: TBK.DVR.SOSTREAMAX.Command.Injection
CVE-2024-12856: Four-Faith.Routers.adj_time_year.Command.Injection
We also suggest that organizations consider completing Fortinet’s free training module, Fortinet Certified Fundamentals (FCF) in Cybersecurity. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
Hosts
45[.]135[.]194[.]34
83[.]150[.]218[.]93
14[.]103[.]145[.]202
14[.]103[.]145[.]211
154[.]91[.]254[.]95
78[.]153[.]149[.]90
Files
Downloader
c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451c
eb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6
f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9
RondoDox
e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7
e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c10
53e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be5
43d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a4
4c2429fc8b8ec61da41cbba1b8184ec45fa93a9841b4ca48094bba7741b826b8
694d729d67f1b0c06702490bfab1df3a96fe040fe5d07efa5c92356c329757be
edae3b75deb8013bd48ac4534cca345b90938a2abb91672467c2bf9ae81ff683
0814a0781ab30fca069a085dba201d6fd0f414498fafa4bb42859786d91d4781
59b4deee977e9e27b60e7e179d54a1ce8e56624e73b799523416eee828bfaf76
9f916a552efc6775367a31357a633dc0be01879830d3fddccdf3c40b26e50afd
0a9ebbecc8ec58c253039520304ca373cfb8d1674d67993e6485e244a77d6ec9
6c81fd73b4bef6fef379cbefdcce7f374ea7e6bf1bf0917cf4ca7b72d4cee788
a55a3859a203ca2bae7399295f92aeae61d845ffa173c1938f938f5c148eef99
57573779f9a62eecb80737d41d42165af8bb9884579c50736766abb63d2835ba
3daa53204978b7797bd53f5c964eed7a73d971517a764785ce3ab65a9423c2e7
8bf8928bc255e73e0b5b0ce13747c64d82d5f2647da129f189138773733ac21f
20a24b179bdbbdcc0053838c0484ea25eff6976f2b8cb5630ab4efb28b0f06b5
42aa715573c7d2fca01914504cb7336db715d73d1e20d23e4bd37f2e4f4fe389
c9278ce988343606350a94156ca28ee28bd605d1d95c810a16866eee1f997598
a197f60d5f5641f2c56576b4c867d141612c6e00db29c512f266835510b8a62d
8250d289c5ec87752cec1af31eed0347cf2dd54dc0fbeea645319c4dae238ee2
d02414a54e97ad26748812002610f1491a2a746e9ba0f9d05de3d47d7bab4f5e
c123a91fdacd9a4c0bcf800d6b7db5162cfd11cb71e260647ef0f2c60978ebfc
ef708fec1afbea4fb32b586e0dacf0d228c375a532008d81453c367256afea5a
305507f34c14c72cab35715b7f7b25b32352a8e19b8a283003aaf539d12ca517
937e6ab0dfcedfa23eced7b52d3899b0847df3fcb7a9c326b71027a7ab5f5b93
如有侵权请联系:admin#unsafe.sh