According to Fortinet, the Goldoon botnet exploits the CVE-2015-2051 flaw to propagate a “dropper” script from a malicious server. This script is carefully designed to self-delete and can run on various Linux system architectures. Once injected into a device, this “dropper” downloads and launches a file, opening the door to a series of malicious activities. Its main role is to retrieve the botnet file using an XOR key to decrypt specific strings and construct the full URI for the payload. Once downloaded, the final payload is extracted using a hard-coded header, while sanitization mechanisms are engaged to hide the traces in the compromised system.
“ Although CVE-2015-2051 is not a new vulnerability and has low attack complexity, it has a critical security impact that can lead to remote code execution. Once attackers successfully exploit this vulnerability, they can integrate the compromised devices into their botnet to launch further attacks », Warn researchers from the Fortinet laboratory who discovered the relaunch of Goldoon.
Once infiltrated, Goldoon malware can launch various DDoS attacks, including TCP flooding, ICMP flooding, as well as more targeted attacks like Minecraft DDoS. These attacks can have a significant impact, disrupting both individual targets and larger networks.
