Aqua Security experts have uncovered a new variant of the GAFGYT botnet that targets servers vulnerable to weak SSH passwords in cloud environments, using the computing power of GPU for cryptocurrency mining.
The GAFGYT botnet, also known as Bashlite, Lizkebab, and torlus, has been in operation since 2014, known for exploiting weak or default passwords to gain control over routers, cameras, DVRs, and other devices. It includes tools to exploit vulnerabilities in devices from Dasan, Huawei, Realtek, Sonicwall, Zyxel, among others, to launch DDoS attacks.
The latest version of the GAFGYT botnet utilizes BUSTORS to compromise SSH servers with weak passwords, then deploys cryptocurrency miners using the Systemd-Net module. It ensures that its miners have full access to system resources by eliminating competing malicious programs.
In addition, the botnet deploys a worm written in GO to scan the internet for vulnerable servers, infecting them to expand its reach. It targets SSH, Telnet, and data related to gaming servers as well as cloud platforms such as AWS, Azure, and Hadoop.
The primary objective of the attackers is to run the XMRIG miner, focusing on mining the Monero cryptocurrency by harnessing the GPU computing power using flags –opencl and –cuda.
This new variant of the botnet is designed for cloud environments with powerful CPU and GPU resources, shifting its focus from DDoS attacks. With over 30 million SSH servers accessible on the internet, the need for protection against Buborsat and potential hacking is crucial, as per data from Shodan.
Notably, during the pandemic between December 14 and December 31, 2020, experts identified 18,000 unique hosts and around 900 distinct payloads, with a majority attributed to the Gafgyt and Mirai malware families, comprising 97% of the payloads.