Posted on March 6, 2021 at 4:37 PM
New Tor-Based Gafgyt Variant Discovered Attacking IoT And D-Link
Netlab360 has recently had its researchers discover a brand new variant of the Gafgyt botnet family. This new variant is unique thanks to its ability to use the Tor network to actively cloak its malicious activities.
Gafgyt’s Latest Evolution
Gafgyt itself stands as a botnet that had been discovered all the way back in 2014. It had gained its large infamy primarily thanks to the decentralized denial of service (DDoS) it had operated at a large scale. As for this latest variant, going by Gafgyt_tor, which was discovered by researchers on the 15th of February, 2021.
As stated above, Gafgyt_tor makes use of the Tor network to try and hide its Command and Control (C2) communication. Another bonus from this is the encryption of sensitive strings in the samples, as well. Now, it should be noted that malware families leveraging Tor isn’t really new, but it is noteworthy for Gafgyt since this is the first recorded instance for this malware family in particular.
Targeting Three Different Vulnerabilities
As for how the botnet spreads, that’s quite simple: It targets weak Telnet passwords, which itself is a common issue in most Internet of Things devices. Gafgyt in particular makes use of three different vulnerabilities to do so.
The first is a remote code execution vulnerability within the Liferay Enterprise portal software, which strangely has no CVE. The second is CVE-2019-16920, a remote code execution flaw situated in D-Link devices. Lastly, it utilizes CVE-2019-19781, a fault within the Citrix Application Delivery Controller.
Netlab360’s researchers revealed that the main function of Gafgyt_tor, which is to add the Tor proxy function in order to provide the address of the IP server, has seen a widespread change. The researchers revealed that the original function to do so, initConnection(), has been completely scrapped. This function used to establish a connection to the C2, but it is now replaced with a large code section in charge of establishing it.
Gafgyt’s Latest New Toys
As for what this Gafgyt_tor variation can do all on its own, the list is quite impressive and subsequently worrying. Within this large section of new code, a function called tor_socket_init exists, one responsible for creating an entire list of proxy nodes, all boasting a port and IP address. More than 100 Tor proxies can be developed like this, with new samples constantly updating the proxy, as well.
After this function initiated the proxy list, the sample itself will proceed to select a random node from it. This will enable communications with Tor, doing so through the tor_retrieve_port and the tor_retrieve_addr functions.
Once the connection with the C2 is established, the botnet-infected system then proceeds to request a darknet address of wvp3te7pkfczmnnl.onion, simply awaiting command after that.
Same Motivations
The researchers gave some interesting statements about the goals of this new botnet variant, as well. According to them, the goal of this new variant of Gafgyt is the same as the rest: Scanning and DDoS attacks. However, a new directive was added to the latest malware, according to the researchers: LDSERVER.
With this new addition to the botnet, the C2 is capable of specifying exact addresses to offload payloads from. What this means logistically is that the attack can quickly start changing its tactics, switching courses in case a download server owned by the attackers suddenly gets turned off due to being identified.
Manufactured By Freak/Keksec
As for how the researchers identified Gafgyt_tor as a proudly Gafgyt product, it cited its origins. Netlab360 explained that its origins come from the keksec group, more universally known as the Freak threat actor. Now, keksec makes use of the same IP addresses and code between the various other botnet families under its belt, such as Tsunami and Necro.
With this, the speculation is that both Necro and Gyfgat are operated by the same group. Net360 cited the group’s multiple botnet source codes, IP address pool, and the group’s capacity for continued development. The actual operation of these botnets, however, makes use of the same source code. This is primarily how these groups can be identified as being behind these botnets.
Time will tell what this keksec will do, but it seems that this botnet is being used primarily to DDoS attack gaming servers across the globe, crippling them in the process. The ultimate goal of keksec is unclear, and it might just be to sow chaos just for the fun of it.