Cybersecurity researchers have uncovered a new strain of the Gafgyt botnet that is exploiting weak SSH passwords on machines to mine cryptocurrencies by harnessing the GPU computational power of compromised systems.
The recent findings by Aqua Security researcher Assaf Morag indicate that this IoT botnet is now setting its sights on more powerful servers operating in cloud-native environments, as stated in an analysis published on Wednesday.
Gafgyt, also known as BASHLITE, Lizkebab, and Torlus, has been active in the wild since 2014 and is notorious for infiltrating devices like routers, cameras, and DVRs by exploiting weak or default credentials. It has also been known to exploit vulnerabilities in devices from Dasan, Huawei, Realtek, SonicWall, and Zyxel.
These compromised devices are assimilated into a botnet capable of launching DDoS attacks against specific targets. Evidence suggests that both Gafgyt and Necro are linked to a threat group known as Keksec, also identified as Kek Security and FreakOut.
IoT Botnets like Gafgyt are constantly evolving, incorporating new functionalities and features. Variants detected in 2021 even utilized the TOR network to obfuscate malicious activities and borrowed modules from the leaked Mirai source code. The dissemination of Gafgyt’s source code online in 2015 has led to the emergence of numerous versions and adaptations over the years.
The latest attack vectors entail brute-forcing SSH servers with weak passwords to deploy secondary payloads for cryptocurrency mining using “systemd-net.” The malware also eliminates existing competing malware on the host before commencing the mining operation.
Furthermore, it deploys a Go-based SSH scanner called ld-musl-x86 to scan the internet for vulnerable servers, propagating the malware to other systems and expanding the botnet’s reach. This includes exploiting SSH, Telnet, and credentials associated with game servers and major cloud platforms like AWS, Azure, and Hadoop.
“The cryptominer utilized is XMRig, a Monero cryptocurrency miner,” Morag explained. “However, in this case, the threat actors are focusing on running the miner with the –opencl and –cuda flags to utilize GPU and Nvidia GPU computational resources.”
“Given that the primary objective of these threat actors is cryptocurrency mining rather than DDoS attacks, it is evident that this variant differs significantly from its predecessors. Its primary targets are cloud-native environments with robust CPU and GPU capabilities,” Morag added.
Shodan data reveals over 30 million publicly accessible SSH servers, underscoring the critical need for users to secure their instances against brute-force attacks and potential exploitation.