New “Goldoon” Botnet Targeting D-Link Devices | FortiGuard Labs

Affected Platforms: D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High

In April, FortiGuard Labs observed a new botnet targeting a D-Link vulnerability from nearly a decade ago, CVE-2015-2051. This vulnerability allows remote attackers to execute arbitrary commands via a GetDeviceSettings action on the HNAP interface. As a result, an attacker can create a crafted HTTP request with a malicious command embedded in the header.

Our IPS signature captured attempts to exploit the CVE-2015-2051 vulnerability to propagate a new botnet that we have named “Goldoon.” Figure 1 shows the attack packet. If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS). Our telemetry data also indicates that this botnet activity spiked in April, almost doubling the usual frequency.

In this article, we will provide detailed insights into the propagation and actions of the Goldoon botnet.

Figure 1: CVE-2015-2051 payload

Figure 1: CVE-2015-2051 payload

Figure 2: IPS signature telemetry

Figure 2: IPS signature telemetry


The attackers initially exploit CVE-2015-2051 to download a file “dropper” from “hxxp://94[.]228[.]168[.]60:8080.” The script is programmed to automatically download, execute, and clean up potentially malicious files across various Linux system architectures, including aarch64, arm, i686, m68k, mips64, mipsel, powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC. Each downloaded file, named “goldoon,” is executed immediately after its download and permission adjustment. After execution, the script removes the executed file and then deletes itself to erase any trace of its activity, thereby enhancing its stealth.

Figure 3: Script file "dropper"

Figure 3: Script file “dropper”


The primary role of the “i686-linux-gnu” downloaded from the dropper is to get the botnet file. It first employs the XOR key, “YesItsAnAntiHoneypotBaby,” to decrypt the specific strings “linux” and “i686-linux-gnu.” After decoding, it attaches them to “/bins” to construct the full Uniform Resource Identifier (URI). It uses a fixed header, “User-Agent: FBI-Agent (Checking You),” to get the ultimate payload.

Figure 4: XOR function and key for decoding URI

Figure 4: XOR function and key for decoding URI

Figure 5: Hard-coded header

Figure 5: Hard-coded header

Figure 6: Packet capture for downloading Goldoon

Figure 6: Packet capture for downloading Goldoon

Any attempt to open the targeted URI using a web browser will lead to the error message shown in Figure 7.

Figure 7: Error message

Figure 7: Error message

Finally, it iterates through a set of paths, modifying each file it can write to and then deleting those files after modification. This is another cleanup mechanism to cover its tracks in a compromised system.

Figure 8: Erase trace

Figure 8: Erase trace


Through analyzing the malware, we found that it has the following behaviors:

  • Initializes required arguments
  • Sets autorun to persist in the victim device
  • Establishes a persistent connection with its Command and Control (aka, C2) server
  • Waits for commands from the C2 server to launch related behaviors

Goldoon first initializes some required arguments for establishing a connection. For example, it uses “WolfSSL” for traffic encryption and sets the Google DNS server (i.e., “”, “”) as a DNS resolver. This allows the malware to carry through its attack.

Figure 9: Initialize DNS Server

Figure 9: Initialize DNS Server

Autorun Methods

There are ten different autorun methods, each aiming to execute malware while the victim’s computer is starting up. We can classify them into the following types: Boot Execution, Daemon, and Logon Execution.

The malware can execute itself through Linux booting initialize files or applications, such as “/etc/rc.local,” “crontab,” etc.

Figure 10: Boot Execution with Crontab

Figure 10: Boot Execution with Crontab

Otherwise, it can be created as a daemon named “goldoon.server” and later enable itself to persist in the victim’s computer.

Figure 11: Daemon by the Name of "goldoon.server"

Figure 11: Daemon by the Name of “goldoon.server”

In addition, the malware can also execute automatically as soon as the victim logs on to the compromised device.

Autorun Type

Autorun Method

Boot Execution









Logon Execution




Table 1: Autorun Method

C2 Connection and Behavior

The Goldoon malware continuously tries to connect to its C2 server until a connection is established. It also records information about the targeted system, such as user name, etc.

Figure 12: C2 Connecting Stage

Figure 12: C2 Connecting Stage

Figure 13: Get Victim System Information

Figure 13: Get Victim System Information

Once completed, the Goldoon malware receives packets from the C2 server. These contain commands for follow-up actions.

Figure 14: Reading and Handling Packet

Figure 14: Reading and Handling Packet

The packet has seven cases that are set off by the C2 server. Two of them have obviously malicious purposes. One executes commands through “/bin/bash -c” on the victim host, and the other triggers different DoS attacks.

Figure 15: Command Execution

Figure 15: Command Execution

Attack Methods

According to our analysis, this malware contains an astounding 27 different methods related to various attacks.


Attack Method


ICMP Flooding


TCP Flooding, XMAS Attack, etc.


UDP Flooding


DNS Flooding


HTTP Bypass, HTTP Flooding, etc.


Minecraft DDoS Attack

Table 2: Attack Methods

Take a TCP SYN flooding attack as an example. The malware first gathers information about the target, such as its IP and port, and even checks whether the target IP is IPv6.

Figure 16: TCP SYN Flooding Attack Arguments

Figure 16: TCP SYN Flooding Attack Arguments

Goldoon can launch DoS attacks through common protocols, including the game Minecraft. The malware uses various packets to launch a DoS attack, especially for attacks through TCP, which includes more than ten types of packets.

Figure 17: Commands for Attack Methods

Figure 17: Commands for Attack Methods

Because some of these methods are empty, such as “http_exploit,” “http_xflow,” “http_pps,” and “http_cps,” we deduce that the attacker may have an ongoing development of the malware.


While CVE-2015-2051 is not a new vulnerability and presents a low attack complexity, it has a critical security impact that can lead to remote code execution. Once attackers successfully exploit this vulnerability, they can incorporate compromised devices into their botnet to launch further attacks. FortiGuard Labs has identified one such new botnet, “Goldoon,” that is exploiting this vulnerability, reminding us that botnets continue to evolve and exploit as many devices as possible. We strongly recommend applying patches and updates whenever possible because of the ongoing development and introduction of new botnets.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:


FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard Web Filtering Service blocks the C2 server.

FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:

CVE-2015-2051: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution

We also suggest that organizations go through Fortinet’s free cybersecurity training module: Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.






Source: Original Post