Gafgyt (Botnet) – Malware

Overview

The Gafgyt botnet, also known by various aliases such as Bashlite and Lizkebab, has remained a persistent and evolving threat in the landscape of cybercrime. First emerging in 2014, Gafgyt primarily targeted Internet of Things (IoT) devices by exploiting weak or default login credentials, particularly those associated with routers, cameras, and DVR systems. These devices, once infected, were conscripted into a large botnet used to conduct large-scale distributed denial-of-service (DDoS) attacks, overwhelming systems with massive volumes of malicious traffic. Over the years, Gafgyt has undergone numerous iterations, with its source code being leaked and modified by different threat actors, leading to a proliferation of variants that continually complicate cybersecurity efforts.

Initially, Gafgyt was primarily focused on infecting low-power IoT devices with minimal computational resources. However, recent developments indicate that the botnet has evolved to target more sophisticated systems, including cloud-native environments with stronger CPU and GPU capabilities. This shift marks a significant change in the operational goals of the botnet, which, instead of just conducting DDoS attacks, now incorporates cryptomining, leveraging powerful hardware resources for illicit financial gain. This transition underscores the growing sophistication of cybercriminal groups who are seeking to maximize their returns by exploiting vulnerable devices across a broader range of platforms, from IoT devices to high-performance cloud infrastructure.

Targets

Information

How they operate

The infection cycle of Gafgyt begins with gaining initial access to a vulnerable system. It primarily exploits weak or default credentials on IoT devices or misconfigured Linux servers, such as those running Telnet or SSH. Once access is achieved, the malware utilizes brute-force techniques to guess weak passwords or exploit known vulnerabilities, making it highly effective against devices with poor security practices. In many cases, the malware uses pre-configured lists of common or default credentials to gain control over the targeted system. After this initial compromise, Gafgyt deploys its payloads, which are typically small executable files that allow it to maintain control over the infected device.

Once Gafgyt has compromised a system, it ensures persistence through various means. The malware often makes changes to system configurations, including modifying critical files such as rc.local or /etc/sysctl.conf to ensure that it starts automatically when the system reboots. This persistence allows Gafgyt to maintain a foothold on the device even if it is restarted. Additionally, the malware hides its presence by employing file masquerading techniques. It renames itself to resemble legitimate system files, such as systemd-net or ld-musl-x86, making detection more difficult for both system administrators and security software.

Gafgyt’s ability to evade detection is also enhanced by its use of obfuscation techniques. The malware often encrypts its payloads and uses a variety of evasion tactics to avoid detection by traditional antivirus tools. By masking its communications and activities, it becomes harder for security systems to identify and neutralize the threat. Moreover, the malware may delete or overwrite system logs and other artifacts that could indicate an infection, thereby hindering incident response efforts.

After ensuring persistence and evading detection, Gafgyt proceeds to expand its control over the network. It scans for other vulnerable devices, either locally or remotely, and uses brute-force methods to attempt access to these devices. This lateral movement capability enables Gafgyt to spread quickly across a network, potentially compromising hundreds or thousands of devices in a matter of days. The malware also collects sensitive information, such as SSH credentials, which can be used to further infiltrate other systems.

Gafgyt’s core functionality lies in its ability to harness compromised devices for malicious purposes. Originally designed as a DDoS tool, it can launch large-scale attacks, overwhelming targeted networks or websites with massive amounts of traffic. However, newer variants of the malware have incorporated additional features, such as cryptojacking. In these cases, Gafgyt mines cryptocurrency by using the infected device’s CPU and GPU power. This cryptomining capability allows cybercriminals to generate profit without needing to directly steal money from victims, making Gafgyt a highly profitable tool for attackers.

One of the most concerning aspects of Gafgyt is its ability to remain active for extended periods without detection. Its decentralized nature, frequent updates, and evasion techniques make it a difficult adversary for security professionals. Once it establishes a foothold, Gafgyt can operate autonomously, performing tasks such as initiating DDoS attacks, exfiltrating data, or even installing additional malware. Its modular architecture allows attackers to easily update or change its functionality, making it a highly adaptive and resilient piece of malware.

In conclusion, Gafgyt is a sophisticated and multi-faceted malware threat that continues to evolve. While its primary function remains DDoS attacks, its ability to mine cryptocurrency and spread across networks has expanded its impact significantly. By exploiting weak security practices, evading detection, and leveraging the power of compromised devices, Gafgyt represents a serious risk to both individual users and enterprises alike. Understanding its technical operation is crucial in developing effective strategies for detection, prevention, and mitigation, as this malware is likely to remain a persistent threat in the cyber landscape.

MITRE Tactics and Techniques

Initial Access (TA0001):

Brute Force (T1110): Gafgyt gains initial access by brute-forcing weak SSH or Telnet credentials. Once weak passwords are exploited, the malware gains access to the targeted device.

Execution (TA0002):

Command and Scripting Interpreter (T1059): After gaining access, Gafgyt uses shell commands to execute payloads and scripts remotely.

Execution through API (T1106): The malware executes scripts or binaries, such as the XMRIG cryptominer, to carry out the cryptomining activities.

Persistence (TA0003):

Modify System Image (T1071): Gafgyt may modify system configurations, for example, by altering the /etc/sysctl.conf file, to ensure the malware continues running after a reboot.

Privilege Escalation (TA0004):

Exploitation for Privilege Escalation (T1068): In some instances, Gafgyt may attempt to escalate privileges by exploiting vulnerabilities in the operating system or other services.

Defense Evasion (TA0005):

Obfuscated Files or Information (T1027): Gafgyt hides its presence by using deceptive filenames for its malicious binaries, such as ld-musl-x86 and systemd-net, which appear as legitimate system files.
File and Directory Permissions Modification (T1222): Gafgyt may delete logs and history files to evade detection.

Masquerading (T1036): The malware uses filenames and processes resembling legitimate Linux system components to avoid detection by security software.

Credential Dumping (TA0006):

Brute Force (T1110): Gafgyt uses brute-forced credentials to gain access to additional devices and expand the botnet.

Discovery (TA0007):

System Information Discovery (T1082): The malware checks if the device has already been infected and identifies if any other malware is running.

Network Service Scanning (T1046): Gafgyt scans the network to find other vulnerable devices with weak SSH or Telnet credentials.

Lateral Movement (TA0008):

Remote File Copy (T1105): Once inside, Gafgyt transfers additional payloads or scripts to expand its control over the infected device.

Collection (TA0009):

Data from Information Repositories (T1213): Gafgyt collects information, such as exposed SSH credentials, to target additional systems in the botnet.

Exfiltration (TA0010):

Exfiltration Over Command and Control Channel (T1041): Gafgyt may send stolen credentials or other collected data back to the attacker’s server.

Impact (TA0040):

Resource Hijacking (T1496): The primary activity of Gafgyt, particularly in its newer variants, is using compromised systems to mine cryptocurrency (cryptojacking) by leveraging the processing power of the infected devices’ CPUs and GPUs.

References:

• Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments