Latest Gafgyt Botnet Variation Aims at Vulnerable SSH Passwords for GPU Crypto Mining
Cyber experts have come across a fresh iteration of the Gafgyt botnet that targets devices with feeble SSH passcodes to engage in cryptocurrency mining through their GPU computing power.
Aqua Security researcher Assaf Morag mentioned in an analysis on Wednesday that this reveals the botnet is now focusing on more durable servers found in cloud-native environments.
Having been operational since 2014 in the wild, Gafgyt (also known as BASHLITE, Lizkebab, and Torlus) has a track record of exploiting feeble or default credentials to assume control over gadgets like routers, cameras, and DVRs. It can also utilize known security vulnerabilities in devices from Dasan, Huawei, Realtek, SonicWall, and Zyxel.
The compromised devices join a botnet capable of initiating distributed denial-of-service (DDoS) assaults against selected targets. There are indications that Gafgyt and Necro are managed by a threat faction known as Keksec, also recognized as Kek Security and FreakOut.
Botnets like Gafgyt are consistently evolving to introduce new functionalities, with 2021 witnessing variants that employed the TOR network to cloak malevolent operations and integrated certain modules from the leaked Mirai source code. It’s important to note that Gafgyt’s source code was leaked online in early 2015, leading to the emergence of new versions and modifications.
The recent attack procedures entail cracking SSH servers with weak passcodes to deploy subsequent payloads that assist in executing a cryptocurrency mining operation via “systemd-net.” This occurs after eradicating any competing malware already present on the enslaved host.
Furthermore, it initiates a worming tool called ld-musl-x86, a Go-based SSH scanner, to identify poorly protected servers on the web and disseminate the infection to additional systems, thereby expanding the botnet’s reach. This includes credentials for SSH, Telnet, and gaming servers and cloud platforms like AWS, Azure, and Hadoop.
“The cryptominer employed is XMRig, which is a Monero cryptocurrency miner,” Morag explained. “However, in this scenario, the threat actor aims to run a cryptominer using the –opencl and –cuda flags, which harness the computing power of GPU and Nvidia GPU.”
“The primary focus of the threat actor is on cryptocurrency mining rather than launching DDoS attacks, which distinguishes this variant from its predecessors. Its aim is to infiltrate cloud-native environments boasting strong CPU and GPU capabilities.”
Data retrieved from Shodan queries reveals more than 30 million openly available SSH servers, emphasizing the necessity for users to fortify their instances against brute-force attacks and potential exploitations.
About Author
