Threat Research

Gafgyt Malware Variant Leverages GPU Power and Cloud-Native Environments

Securonix

Researchers from Aqua Nautilus identified a new Gafgyt botnet variant that targets machines with weak SSH passwords, executing binaries from memory to expand the network and mine cryptocurrency using GPU power. The campaign signals a shift from traditional IoT devices to cloud-native servers, with details on attack techniques, detection, and protection measures. hashtags: #Gafgyt #Bashlite #Lizkebab #XMRIG #Shodan #AquaNautilus

Keypoints

  • The Gafgyt botnet targets devices with weak SSH passwords to gain access.
  • Once inside, it executes two binaries from memory to expand the botnet and mine cryptocurrency.
  • The botnet is shifting focus from IoT devices to cloud-native environments (servers with GPU power).
  • Initial access is achieved through brute force attacks on SSH connections.
  • Malware performs system discovery to check for existing infections and kill competing malware.
  • Configuration files are altered to enhance performance and security (e.g., /etc/sysctl.conf).
  • Threat actors disguise binaries (ld-musl-x86 and systemd-net) to evade detection; Shodan data shows over 30 million exposed SSH instances.
  • Aqua’s runtime protection detected and alerted on the attack in real time.

MITRE Techniques

  • [T1110] Brute Force – Exploits weak SSH passwords to gain initial access. ‘The initial access is gained by brute forcing to an internet connected SSH with weak password.’
  • [T1059] Command-Line Interface – Executes shell commands via SSH connection. ‘The attacking server (a part of the botnet) executes some shell commands via the SSH connection.’
  • [T1056] Fileless Execution – Executes binaries directly from memory without writing to disk. ‘Next the two binaries are executed in memory.’
  • [T1003] Credential Dumping – Downloads a brute force configuration file containing user credentials. ‘downloads from the threat actor’s server (at 107.189.5.210) the file 1.txt, which is a brute force configuration file containing 179 sets of users and passwords.’
  • [T1055] Process Injection – Injects malicious binaries into the memory of the target system. ‘Injects malicious binaries into the memory of the target system.’
  • [T1486] Data Encrypted for Impact – Modifies system configurations to enhance security and performance. ‘Modifies system configurations to enhance security and performance.’

Indicators of Compromise

  • [IP Address] – 107.189.5.210 used as a C2/download source for the brute-force config. 1.txt contains credentials.
  • [MD5 Hash] – ee929477b6144874974b1dc0b77e57a1 for ld-musl-x86 (Gafgyt SSH scanner) detected by VT.
  • [MD5 Hash] – b5b96a1bec4829501b85e6fe1c5044f5 for systemd-net (XMR cryptominer) detected by VT.
  • [File name] – 1.txt brute-force credentials list downloaded from the C2 server.
  • [File name] – sora.sh script content observed in the binary (ballpark indicator of the dropper/script).

Read more: https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/