New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining

Summary: A new variant of the Gafgyt botnet is exploiting weak SSH passwords to compromise machines for cryptocurrency mining, particularly targeting cloud-native environments. This evolution highlights a shift in focus from traditional DDoS attacks to leveraging computational power for cryptomining.

Threat Actor: Keksec | Keksec
Victim: Cloud-native servers | cloud-native servers

Key Point :

  • Gafgyt targets devices with weak SSH passwords to deploy cryptocurrency miners and expand its botnet.
  • The botnet utilizes a worming module to propagate malware across poorly secured servers, including those in cloud environments.
  • Unlike previous variants, this iteration focuses on cryptomining using GPU capabilities rather than DDoS attacks.
  • Data from Shodan indicates over 30 million publicly accessible SSH servers, emphasizing the need for stronger security measures.
Gafgyt Botnet Variant

Cybersecurity researchers have discovered a new variant of the Gafgyt botnet that’s targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power.

This indicates that the “IoT botnet is targeting more robust servers running on cloud native environments,” Aqua Security researcher Assaf Morag said in a Wednesday analysis.

Gafgyt (aka BASHLITE, Lizkebab, and Torlus), known to be active in the wild since 2014, has a history of exploiting weak or default credentials to gain control of devices such as routers, cameras, and digital video recorders (DVRs). It’s also capable of leveraging known security flaws in Dasan, Huawei, Realtek, SonicWall, and Zyxel devices.

Cybersecurity

The infected devices are corralled into a botnet capable of launching distributed denial-of-service (DDoS) attacks against targets of interest. There is evidence to suggest that Gafgyt and Necro are operated by a threat group called Keksec, which is also tracked as Kek Security and FreakOut.

IoT Botnets like Gafgyt are constantly evolving to add new features, with variants detected in 2021 using the TOR network to cloak the malicious activity, as well as borrow some modules from the leaked Mirai source code. It’s worth noting that Gafgyt’s source code was leaked online in early 2015, further fueling the emergence of new versions and adaptations.

Gafgyt Botnet Variant

The latest attack chains involve brute-forcing SSH servers with weak passwords to deploy next-stage payloads to facilitate a cryptocurrency mining attack using “systemd-net,” but not before terminating competing malware already running on the compromised host.

It also executes a worming module, a Go-based SSH scanner named ld-musl-x86, that’s responsible for scanning the internet for poorly secured servers and propagating the malware to other systems, effectively expanding the scale of the botnet. This comprises SSH, Telnet, and credentials related to game servers and cloud environments like AWS, Azure, and Hadoop.

Cybersecurity

“The cryptominer in use is XMRig, a Monero cryptocurrency miner,” Morag said. “However, in this case, the threat actor is seeking to run a cryptominer using the –opencl and –cuda flags, which leverage GPU and Nvidia GPU computational power.”

“This, combined with the fact that the threat actor’s primary impact is crypto-mining rather than DDoS attacks, supports our claim that this variant differs from previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities.”

Data gathered by querying Shodan shows that there are over 30 million publicly accessible SSH servers, making it essential that users take steps to secure the instances against brute-force attacks and potential exploitation.

Source: https://thehackernews.com/2024/08/new-gafgyt-botnet-variant-targets-weak.html