Cybersecurity researchers have identified a new variant of the Gafgyt botnet targeting machines with weak SSH passwords to mine cryptocurrency using GPU power. This variant shifts the botnet’s focus from its traditional DDoS attacks to leveraging compromised servers’ computational resources for mining Monero (XMR).
The botnet, also known as BASHLITE, Lizkebab, and Torlus, has historically exploited weak credentials to gain control over devices like routers and DVRs. The latest variant utilizes brute-force attacks to compromise SSH servers with weak passwords, then deploys payloads to initiate cryptocurrency mining.
It incorporates a worming module, a Go-based SSH scanner named ld-musl-x86, to spread the malware to other poorly secured servers. This expansion strategy targets various systems, including cloud environments such as AWS and Azure. Gafgyt’s new approach involves using the XMRig miner with flags that enable GPU and Nvidia GPU support, indicating a shift towards more powerful cloud-native environments.
Unlike previous versions focused on DDoS attacks, this variant is specifically designed to exploit systems with strong computational capabilities for crypto-mining purposes. The discovery underscores the need for enhanced security measures, as data shows over 30 million publicly accessible SSH servers are vulnerable to such attacks. Ensuring robust security against brute-force attempts is crucial to protect against the expanding reach and evolving tactics of botnets like Gafgyt.
Reference:
- https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/
