Cybersecurity researchers have uncovered a new variant of the Gafgyt botnet that is now targeting machines with weak SSH passwords to exploit their GPU computational power for cryptocurrency mining.
“This development suggests that the IoT botnet is increasingly focusing on more robust servers operating in cloud-native environments,” said Assaf Morag, a researcher at Aqua Security, in an analysis published on Wednesday.
Gafgyt, also known as BASHLITE, Lizkebab, and Torlus, has been active since 2014 and is notorious for exploiting weak or default credentials to hijack devices like routers, cameras, and digital video recorders (DVRs). The botnet can also exploit known security vulnerabilities in devices from Dasan, Huawei, Realtek, SonicWall, and Zyxel.
Once infected, these devices become part of a botnet capable of launching distributed denial-of-service (DDoS) attacks against selected targets. Evidence suggests that Gafgyt and Necro are operated by a threat group known as Keksec, also referred to as Kek Security and FreakOut.
IoT botnets like Gafgyt are constantly evolving, adding new capabilities over time. In 2021, variants were detected using the TOR network to conceal malicious activity and incorporating modules from the leaked Mirai source code. The Gafgyt source code was leaked online in early 2015, which has contributed to the emergence of new versions and adaptations.
The latest variant of Gafgyt involves brute-forcing SSH servers with weak passwords to deploy payloads for cryptocurrency mining, utilizing a tool called “systemd-net.” Before initiating the mining process, the malware first eliminates any competing malware already present on the compromised host.
Additionally, this variant includes a worming module, a Go-based SSH scanner named ld-musl-x86, which scans the internet for poorly secured servers, propagating the malware to other systems and expanding the botnet. This module targets SSH, Telnet, and credentials related to game servers and cloud environments such as AWS, Azure, and Hadoop.
“The cryptominer being used is XMRig, a Monero cryptocurrency miner,” Morag explained. “However, in this instance, the threat actor is using the –opencl and –cuda flags to leverage GPU and Nvidia GPU computational power.”
“This, combined with the focus on crypto-mining rather than DDoS attacks, indicates that this variant is different from previous ones. It is specifically designed to target cloud-native environments with powerful CPU and GPU capabilities.”
Data from Shodan reveals that there are over 30 million publicly accessible SSH servers, highlighting the importance of securing these instances against brute-force attacks and potential exploitation.
