Cyber security researchers have discovered a new variant Gaffit botnet targeting machines with weak SSH passwords for ultimate cryptocurrency mining on compromised instances using GPU processing power.
This suggests that “the IoT botnet is targeting more reliable servers running in native cloud environments,” said Aqua Security researcher Assaf Morag said in the analysis on Wednesday.
Gafgit (aka BASHLIT, Lizkebab, and Torlus), known as active in the wild since 2014, has a history exploiting weak or standard credentials to gain control over devices such as routers, cameras, and digital video recorders (DVRs). It is also capable of exploiting known security flaws in Dasan, Huawei, Realtek, SonicWall and Zyxel devices.
Infected devices combine into a botnet capable of launching distributed denial-of-service (DDoS) attacks against targets of interest. There is evidence to suggest that Gafgyt and Necro are controlled by a threat group called Cupcakewhich is also tracked as Kek Security and FreakOut.
IoT botnets like Gafgyt constantly is developing to add new features, p options discovered in 2021 using the TOR network to mask malicious activities, as well as borrowing some modules from the Mirai source code leak. It should be noted that the source code of Gafgyt was leaked on the internet in early 2015, further fueling the emergence of new versions and adaptations.
Recent attack chains involve brute-forcing SSH servers with weak passwords to deploy next-stage payloads to facilitate a cryptocurrency mining attack using “systemd-net”, but not before stopping competing malware already running on the compromised host.
It also runs a worm module, a Go-based SSH scanner called ld-musl-x86, which is responsible for scanning the Internet for poorly secured servers and spreading malware to other systems, effectively expanding the botnet’s scale. This includes SSH, Telnet and credentials related to game servers and cloud environments such as AWS, Azure and Hadoop.
“The crypto miner used is XMRig, a Monero cryptocurrency miner,” Morag said. “However, in this case, the threat actor seeks to run a cryptominer using the –opencl and –cuda flags, which use the processing power of GPUs and Nvidia GPUs.”
“This, combined with the fact that the threat actor’s primary exposure is cryptomining rather than DDoS attacks, supports our contention that this option is different from previous ones. It aims to target cloud environments with strong CPU and GPU capabilities.”
Data collected by Shodan’s query indicates that there are more than 30 million public SSH servers, so it is critical that users take steps to protect their instances from brute force attacks and potential exploitation.
