Rising Threat: RondoDox Malware Exploits Vulnerabilities in DVRs and Routers
Cybersecurity experts have raised alarms over a new malware campaign targeting specific vulnerabilities in TBK digital video recorders (DVRs) and Four-Faith routers. This malware is known as RondoDox and is notably adept at forming a botnet by exploiting existing security gaps.
Understanding the Vulnerabilities
The campaign exploits two particular security flaws: CVE-2024-3721 and CVE-2024-12856. The former affects TBK DVR models 4104 and 4216 through a command injection vulnerability deemed medium-severity. The latter targets Four-Faith router models F3x24 and F3x36, similarly through an operating system command injection bug. These devices, commonly found in retail environments, warehouses, and small offices, often remain unmonitored, making them prime targets for exploitation.
Historical evidence shows that these vulnerabilities have previously been leveraged to deploy variants of the Mirai botnet, underscoring their appeal to cybercriminals.
The Risks of Unpatched Devices
According to Vincent Li, a researcher at Fortinet FortiGuard Labs, these vulnerabilities are not only publicly known but actively being targeted. This poses serious risks not just to individual device security but to the integrity of entire networks. Devices often run outdated firmware or have misconfigured ports, leaving them exposed directly to the Internet, thus increasing the likelihood of compromise.
The Mechanism Behind RondoDox
The RondoDox malware was first identified in September 2024 as an ELF binary capable of mimicking network traffic from platforms like gaming networks or VPNs. This stealthy approach makes detection by traditional security measures increasingly difficult.
What sets RondoDox apart from other malware is its tactical use of infected devices. Rather than utilizing them as typical botnet nodes, attackers repurpose them as stealth proxies. This allows them to obscure command-and-control traffic and conduct layered scams or DDoS-for-hire operations that blend financial fraud with infrastructure disruption.
Multi-Architecture Targeting
RondoDox was initially developed to target Linux-based operating systems operating on ARM and MIPS architectures. Its distribution relies on a shell script downloader, which can also target various other architectures including Intel 80386, MIPS R3000, and PowerPC, among others. This move not only highlights its adaptability but signifies a shift in malware distribution techniques.
Upon execution, the script instructs the infected device to ignore standard termination signals, effectively enabling persistence. It searches for writable paths across different directories and ultimately downloads the RondoDox malware onto the host. Once deployed, it takes steps to erase command execution history, ensuring that criminal activities remain obscured.
Escaping Detection and Maintaining Stealth
Once embedded, RondoDox scans running processes, terminating any related to network utilities and system analysis tools to maintain a lower profile. The malware exemplifies modern threats by using multi-architecture droppers and encrypted payloads to circumvent traditional intrusion detection systems (IDS).
Impairing Recovery Efforts
RondoDox’s design also includes features aimed at hindering recovery efforts by altering filenames of critical executable files with randomly generated characters. This malicious renaming makes it challenging to restore normal system operations. For example, common utilities such as iptables and shutdown could be renamed to non-descriptive strings, complicating troubleshooting tasks for IT professionals.
Command Execution and DDoS Capability
Once the initial setup is complete, RondoDox contacts an external server to receive further commands for executing distributed denial-of-service (DDoS) attacks. These attacks are executed using a variety of protocols, including HTTP, UDP, and TCP.
To obscure its malicious activity, RondoDox can simulate traffic from widely used applications and entertainment platforms like Fortnite, Roblox, and Discord. This tactic allows it to blend in with regular internet traffic, making it difficult for security teams to spot and block it effectively.
The Evolving Landscape of Malware
RondoDox represents a growing trend in cybersecurity threats that leverage sophisticated evasion techniques, including anti-analysis measures and XOR-encoded configuration data. As highlighted by Li, the malware’s design allows for prolonged access to compromised systems, demonstrating just how advanced contemporary threats have become.
The development and capabilities of RondoDox underscore the ongoing need for vigilance in fortifying network security and actively monitoring devices, especially in environments where unpatched equipment can lead to widespread vulnerability.
