If your infrastructure includes cloud environments, you could be at risk of unintentionally sharing your resources with cyber criminals. The latest release of the Gafgyt botnet malware now has the capability to seize control of cloud environments and use them to mine Monero cryptocurrency. Here are more details and a solution to detect such activities.
What is Gafgyt?
Gafgyt, also known as BASHLITE, is a type of malware that has been active for several years, primarily targeting Internet of Things (IoT) devices and Linux-based systems. Initially discovered in 2014, it is known for its ability to create botnets, which are networks of infected devices controlled by a single entity.
It uses scanners to identify and infect vulnerable servers and devices, increasing the size of its botnet. This self-propagating capability, combined with its evolving tactics, makes Gafgyt a persistent and adaptable malware.
Gafgyt is predominantly used to launch Distributed Denial of Service (DDoS) attacks. These attacks aim to overwhelm targeted servers or networks with a flood of traffic, rendering them inaccessible to legitimate users.
Yet, given that Gafgy’s source code is open to the public, there are numerous variants of this malware.
How New Gafgyt Variant Targets GPUs
The new version of Gafgyt malware uses the old technique of brute forcing target devices with weak passwords. Only this time, it focuses on targeting poorly protected gaming servers and cloud services like AWS, Azure, and Hadoop. These targets are attractive because they have a lot of CPU and GPU resources, which is great for mining cryptocurrency.
By focusing on the privacy-oriented Monero cryptocurrency, the malware manages to prevent users from viewing which addresses receive the generated coins.
To conduct mining, it uses XMRig, which is set up to use the processing power of GPUs and Nvidia GPUs. This lets the malware take advantage of the full power of the infected devices, making the mining process very efficient.
It also uses infected machines to continue spreading itself. Using an SSH scanner named ld-musl-x86, botnet is looking for new targets to expand its botnet further.
Detecting and Analyzing Gafgyt Malware
To see how Gafgyt operates, we can use a malware sandbox. This tool offers a safe virtual environment for detonating malware and other cyber threats without risking your own infrastructure.
Using a cloud tool like the ANY.RUN sandbox, you can not only observe the execution of malware, but also engage with it and the virtual system directly just like on your home or office computer.
Let’s upload a sample of Gafgyt to the ANY.RUN sandbox to see how it behaves.
In this analysis session, we can view a typical kill-chain of the malware.
As soon as we detonate the sample in the sandbox, it infects our virtual machine and begins to scan the external network for devices with weak protection.
The sandbox lists all the attempted connections, which amount to over 45 thousand attempts, revealing the true scale of the botnet’s operation.
Once the analysis session ends, the sandbox generates a detailed report on the threat complete with a list of indicators of compromise (IOCs) that can be used for enhancing detection capabilities and further investigations.
Try ANY.RUN Sandbox with a 14-day trial
ANY.RUN sandbox provides advanced malware analysis capabilities right in your browser. Simply upload your file or URL to the service and start analyzing it in a fully interactive VM. The sandbox detects threats in under 40 seconds and offers private and teamwork modes for streamlining your work with colleagues.
Access all features of ANY.RUN sandbox with a 14-day free trial.
