HQ/EMEAFind out how we can help your business
A newly discovered Gafgyt botnet variant currently targets computers with weak SSH passwords to execute cryptocurrency mining attacks. Moreover, the researchers explained that the attackers utilise the GPU computational capacity of the infected device to run the cryptominer.
This detail implies that the IoT botnet targets robust servers running cloud-native environments. The Gafgyt botnet has been circulating in the wild for almost a decade now, and it has a history of using weak or default credentials to take over routers, webcams, and digital video recorders.
The infected devices are grouped into a botnet that can perform distributed denial-of-service (DDoS) attacks against targets of interest. In addition, there is evidence that the Keksec threat group is the primary hacker that utilises Gafgyt and Necro.
Gafgyt and other botnets have improved their malicious features over the years.
The latest variants of Gafgyt and other IoT botnets have constantly evolved their features and adopted new capabilities. For example, variants discovered in 2021 have adopted the leaked Mirai source code to run concealed malicious activities.
These botnets’ most recent attack chains involve brute-forcing SSH servers with weak passwords to install next-stage payloads for a cryptocurrency mining attack utilising “systemd-net,” but only after removing competing malware on the infected host.
Furthermore, the new Gafgyt variant could run the worming module, ld-musl-x86, a Go-based SSH scanner that scans the internet for vulnerable servers and spreads malware to other devices.
Hence, this new capability could grow the botnet’s size and influence, including SSH, Telnet, and credentials for game servers and cloud platforms such as Azure, AWS, and Hadoop.
Furthermore, the researchers noted that the cryptominer is an XMRig, a Monero cryptocurrency miner. However, in this instance, the threat actor wants to operate a cryptominer using the –opencl and –cuda settings, which use GPU and Nvidia GPU computing capability.
These discoveries, together with the threat actor’s primary impact on crypto-mining other than DDoS attacks, prove the allegations that this new variant is distinct from previous ones since the attackers designed it to target cloud-native environments with high CPU and GPU performance.
