D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant
Reading Time: 1 Minute
A new variant of the Gafgyt botnet – that’s actively targeting vulnerable D-Link and Internet of Things devices – is the first variant of the malware to rely on Tor communications
Gafgyt_tor Botnet: Propagation and New Functionalities
The botnet is mainly propagated through weak Telnet passwords – a common issue on internet of things devices – and through exploiting three vulnerabilities. These vulnerabilities include a remote code execution flaw (CVE-2019-16920) in D-Link devices; a remote code execution vulnerability in Liferay enterprise portal software (for which no CVE is available); and a flaw (CVE-2019-19781) in Citrix Application Delivery Controller.
Researchers said that the code structure of Gafgyt_tor’s main function – which adds the Tor proxy function to provide the IP server’s address – shows widespread changes.
“The original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection,” they said.
New Tor Capabilities, Commands
Within this large section of code exists tor_socket_init, a function that is responsible for initializing a list of proxy nodes with IP addresses and a port. Researchers said that over 100 Tor proxies can be built in in this way – and new samples are continually updating the proxy list.
“After initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port,” said researchers.
After it establishes a connection with the C2, the botnet requests wvp3te7pkfczmnnl.onion through the darknet, from which it then awaits commands.
See Also: Offensive Security Tool: Sparta
“The core function of Gafgyt_tor is still DDoS attacks and scanning, so it mostly follows the common Gafgyt directive,” said researchers. They noted, a new directive called LDSERVER has been added to the botnet, which allows the C2 to quickly specify servers from which the payloads are downloaded. This allows attackers to quickly switch courses should an attacker-owned download server be identified and blocked, said researchers.
“This directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked,” said researchers.
Links to Freak Threat Actor, Other Botnets
Researchers said that the variant shares the same origin with the Gafgyt samples distributed by a threat group that NetLab 360 researchers call the keksec group, and that other researchers call the Freak threat actor. They said, the keksec group reuses code and IP addresses between various other bot families, including the Tsunami botnet as well as the Necro botnet family uncovered in January.
“We think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development,” said researchers. “In actual operation, they form different families of botnets, but reuse infrastructure such as IP address.”
See Also: Hacking Stories: Albert Gonzalez & the ‘Get Rich or Die Trying’ Crew who stole 130 million credit-card numbers
Other Gafgyt Botnet Variants
Gafgyt.tor is only the latest variant of the popular botnet to come to light. In 2019, researchers warned of a new Gafgyt variant adding vulnerable IoT devices to its botnet arsenal and using them to cripple gaming servers worldwide.
In 2018, researchers said they discovered new variants for the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall; as well as a separate attack actively launching two IoT/Linux botnet campaigns, exploiting the CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers.
More recently, last year a botnet called Hoaxcalls emerged, as a variant of the Gafgyt family. The botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager.
Source: https://threatpost.com
(Click Link)