A Mirai botnet variant, known as “gayfemboy,” has been exploiting a recently disclosed security flaw in Four-Faith industrial routers since November 2024 to carry out distributed denial-of-service (DDoS) attacks. The botnet maintains a network of approximately 15,000 daily active IP addresses, with infections spread across countries like China, Iran, Russia, Turkey, and the United States. It leverages over 20 known vulnerabilities and weak Telnet credentials for initial access and has been active since February 2024. The malware’s source code includes offensive terminology, which inspired its name.
The critical vulnerability exploited, CVE-2024-12856, is an OS command injection flaw in router models F3x24 and F3x36, which attackers exploit via unchanged default credentials. Researchers from QiAnXin XLab discovered that this flaw has been weaponized since November 9, 2024, to deploy Mirai-based malware. VulnCheck also confirmed the flaw’s active exploitation, which involves dropping reverse shells and delivering Mirai-like payloads. Additional vulnerabilities used by the botnet span across a wide timeline, from CVE-2013-3307 to CVE-2024-8957, showcasing its extensive arsenal.
Once the malware infiltrates a device, it obscures malicious processes, updates itself, and scans for other vulnerable systems to expand its network. It uses a Mirai-based command format to execute its operations, including launching high-traffic DDoS attacks on various entities worldwide. These attacks, peaking in October and November 2024, last between 10 and 30 seconds but generate traffic of up to 100 Gbps. Hundreds of targets are affected daily, including enterprises, government systems, and individual users.
The rise of such attacks aligns with warnings from cybersecurity firms like Juniper Networks and Akamai about vulnerabilities in other devices, such as Session Smart Routers and DigiEver DVRs, being exploited for Mirai malware deployment. Researchers from XLab emphasized the evolving and concealed nature of DDoS attacks, which continue to pose significant risks across industries. The attacks’ adaptability and precision highlight the urgent need for organizations to strengthen their defenses against this growing threat.
