Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments
A new variant of the Gafgyt botnet has been discovered by Aqua Nautilus researchers, targeting machines with weak SSH passwords to expand the botnet and mine cryptocurrency using GPU power. Initially known for targeting IoT devices like routers and cameras, Gafgyt has evolved to attack more robust servers in cloud-native environments. The attack flow involves brute-forcing SSH passwords, executing binaries in memory, and conducting system checks to eliminate competing malware. The malware includes components masquerading as legitimate system files, and uses GPU capabilities for cryptomining. The campaign leverages exposed SSH services, highlighting the need for strong authentication practices. Aqua Security's platform detected the attack in real-time, illustrating the effectiveness of runtime protection in mitigating such threats.
The Gafgyt malware variant begins its attack by brute-forcing weak SSH passwords to gain initial access to target machines. BlueRock's SSH Deep Auth & SSH Least Privilege mechanism effectively mitigates this step by enforcing strong authentication practices and limiting SSH access to only necessary users, thereby reducing the attack surface. Once access is gained, the attacker executes shell commands to prepare the server for further exploitation. Here, BlueRock's Container Drift Protection (Binaries & Scripts) comes into play by preventing unauthorized executables and scripts from running, thus blocking the execution of malicious binaries that are not part of the original container image. This mechanism ensures that any attempt to execute unauthorized code is thwarted, protecting the system from further compromise.
- T1110.001: Brute Force: Password Guessing: The attacker initially gained access to the target machine by brute forcing SSH credentials, which were weak. This is evident from the statement: 'In this attack we see a successful brute force attempt on our SSH honeypot which is configured with a very weak password.'
- T1059.004: Command and Scripting Interpreter: Unix Shell: Once access was gained, the attacker executed shell commands to inspect and prepare the server. This is shown in the article: 'Once access is gained a few commands to inspect and prepare the server are executed.'
- T1082: System Information Discovery: The attacker conducted system discovery to check if the machine was already infected and to identify any competing malware. This is highlighted by: 'A few checks are conducted mainly to determine if the machine has already been infected by this variant of Gafgyt and to check if another malware is running and if so to kill it.'
- T1055.001: Process Injection: Dynamic-link Library Injection: The attacker used two binaries that were executed in memory to avoid detection, as indicated by: 'Next the two binaries are executed in memory.'
- T1496: Resource Hijacking: The attacker executed a cryptomining operation using the XMRIG cryptominer, as described: 'Executing the cryptominer: Figure 4: Executing the XMRIG cryptominer.'
- T1490: Inhibit System Recovery: The attacker modified system configurations to optimize performance and security, such as altering the /etc/sysctl.conf file. This is noted in: 'Configuration alteration: Figure 6: Modifying configurations /etc/sysctl.conf.'
- T1070.003: Indicator Removal: Clear Command History: The attacker deleted history and log files to evade detection, as indicated by: 'Lastly history and logs files are deleted to evade detection.'
- T1036.005: Masquerading: Match Legitimate Name or Location: The attacker used masquerading techniques to make their binaries appear as legitimate system components, as noted: 'The names of these binaries indicate that the threat actors are putting emphasis on defense evasion as these names are masquerading as legitimate components related to the Linux operating system environment.'
- T1105: Ingress Tool Transfer: The attacker downloaded a brute force configuration file from a command and control (C2) server, as shown: 'The function backgroundlogic in the malware is set to download from the threat actor’s server (at 107.189.5.210) the file 1.txt, which is a brute force configuration file containing 179 sets of users and passwords.'
