August 15, 2024Ravie LakshmananNetwork Security / Cybercrime

Cybersecurity researchers have discovered a new variant of the Gaffeyt botnet that attacks machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU processing power.

This indicates that the “IoT botnet is targeting more robust servers running on cloud-native environments,” Assaf Morag, a researcher at Aqua Security, said in an analysis on Wednesday.

Gafgyt (also known as BASHLITE, Lizkebab, and Torlus), which has been known to be active in the wild since 2014, has a history of abusing weak or default credentials to gain control of devices such as routers, cameras, and digital video recorders (DVRs). It is also capable of exploiting known vulnerabilities in Dasan, Huawei, Realtek, SonicWall, and Zyxel devices.

The infected devices are bundled into a botnet capable of performing distributed denial-of-service (DDoS) attacks on targets of interest. Evidence suggests that Gafgyt and Necro are operated by a threat group called Keksec, which also goes by the names Kek Security and FreakOut.

IoT botnets like Gafgyt are constantly evolving to add new features, with variants detected in 2021 using the TOR network to disguise their malicious activity, as well as borrowing some modules from the leaked Mirai source code. It is worth noting that Gafgyt’s source code was leaked online in early 2015, further fueling the emergence of new versions and modifications.

The latest attack chains involve brute-forcing SSH servers with weak passwords to deploy the next phase of payloads, enabling a cryptocurrency mining attack using “systemd-net”. However, this does not happen before any competing malware already running on the compromised host is terminated.

It also executes a worm module, a Go-based SSH scanner called ld-musl-x86, which is responsible for scanning the internet for poorly secured servers and spreading the malware to other systems, effectively increasing the scale of the botnet. This includes SSH, Telnet, and credentials related to gaming servers and cloud environments such as AWS, Azure, and Hadoop.

“The cryptominer used is XMRig, a Monero cryptocurrency miner,” Morag said. “However, in this case, the threat actor is attempting to run a cryptominer using the –opencl and –cuda flags, which leverage GPU and Nvidia GPU computational power.”

“This, combined with the fact that the threat actor’s primary impact is crypto mining rather than DDoS attacks, supports our claim that this variant is different from the previous one. It targets cloud-native environments with strong CPU and GPU capabilities.”

Data collected by Shodan shows that there are over 30 million publicly accessible SSH servers. It is therefore essential that users take measures to secure the instances against brute-force attacks and potential abuse.