Researchers identified a new variant of the Gafgyt botnet targeting cloud-native environments by exploiting weak SSH passwords. This variant integrates cryptomining with traditional botnet activities, using GPU power to mine cryptocurrency. The attack flow includes brute-forcing SSH credentials, executing malware in memory, killing competing malware, and leveraging servers. The campaign also includes techniques like system discovery, configuration alteration, and deletion of logs to avoid detection. It is recommended to search for indicators of compromise in your environment.
Gafgyt, also known as Bashlite, is a botnet that has evolved from targeting IoT devices to more robust cloud-native environments. This attack began with brute-force attempts on SSH using weak passwords, and upon gaining access, the malware executed two binaries: ld-musl-x86 (a Gafgyt SSH scanner) and systemd-net (an XMR cryptominer). The binaries were loaded directly into memory to avoid detection and used system resources to mine Monero cryptocurrency. The cryptominer exploited GPU power via the --cuda and --opencl flags, indicating that the attack targets high-performance servers, not traditional IoT devices (like researchers observed in earlier Gafgyt campaigns). The malware checks for existing processes and kills competing malware, ensuring that its own operations are prioritized.
The malware leverages common system utilities, such as modifying the /etc/sysctl.conf file to change kernel parameters, and deletes history and log files to prevent detection. This new variant also shifts focus toward cloud-native environments, evident from the use of usernames like "AWS" and "Azure" in the brute force attempts.