Gafgyt Targeting Huawei and Asus Routers and Killing Off Rival IoT Botnets

Gafgyt (also known as Bashlite) is one of the most common types of malware infecting IoT devices, and has been active since 2014. A new variant of this notorious malware continues to target small office and home office (SOHO) routers from well-known brands, including Huawei and Asus. Gafgyt’s core functionality remains the same, that is, attacking IoT devices with multiple hardcoded exploits in order to take control and harness their power for DDoS attacks. However, for this new campaign the Gafgyt author has introduced techniques designed to remove rival IoT malware.

• This Gafgyt campaign targets 48 different malware variants in an attempt to spread further than previous iterations of the malware.
• 56% of the malware species on the kill list are known rival IoT botnets (thingbots).
• Huawei HG532 and Asus routers are targeted in this new campaign through known vulnerabilities released in 2017 and 2018: CVE-2017-17215¹ and CVE-2018-15887.²
• Gafgyt DoS attacks target game servers, specifically Valve Source Engine servers, which is in line with the age demographic we’ve seen creating IoT botnets.
• The Dropzone server IP is located in the US, inside the Hostwind hosting provider network.

Stage 1: SOHO Router Targeting via RCE CVEs with Exploits

In this campaign, Gafgyt is targeting the following Huawei and Asus routers:

Gafgyt uses two Remote Code Execution (RCE) vulnerabilities, both of which are more than a year old, to exploit targeted SOHO routers:

1. CVE-2017-17215 (Huawei): A Remote Code Execution (RCE) vulnerability allowing an authenticated attacker to send malicious packets to the Universal Plug and Play (UPnP) service port 37215 to launch attacks.
2. CVE-2018-15887 (Asus): An RCE vulnerability that allows an authenticated remote attacker to execute arbitrary OS commands via service parameters.

Following the exploitation of the vulnerabilities, Gafgyt:

1. Downloads the payload using “wget” command
2. Stores the payload in “/tmp” directory
3. Makes the payload accessible using “chmod 777 <filename>”
4. Runs the payload

Stage 2: Kill Competing Bots

The most common way to keep a botnet active is to kill off other rival bots that have already infected target devices. This latest Gafgyt campaign includes a preconfigured target list of other active botnets, including some very well known IoT botnets, as well as some malware species novel to F5 Labs.

Of the 48 different malware variants targeted in Gafgyt’s kill list, 56% of them are known IoT bots. We are still investigating the other 46% that are unknown or obscure. Some of these are known IoT botnet creators that could have also named a bot after themselves, or they are AKAs of other known bots. Others are offensive names typical of the malware creator persona.

This technique of competitive exclusion has been seen in other malware species, including the IoT botnet Mirai and the new crypto-miner Golang malware, which attempts to kill off rival crypto-miners in the fierce competition for scarce resources, in this case vulnerable devices.

Also included in Gafgyts’ kill list are targeted architectures, services, servers and bot processes.

Target Architectures:

• 440fp
• armv4
• armv5
• armv6
• armv7
• i586
• i686
• m68k
• mips
• powerpc
• ppc
• sh4
• sparc
• superh
• x86

Target services, servers and bot process:

• apache2
• bash
• cron
• ftp
• irc
• ntpd
• openssh
• pftp
• sh
• sshd
• telnet
• telnetd
• tftp
• wget
• httpflood
• lolnogtfo
• stdflood
• tcpflood
• udpflood

Stage 3: DoS attack

Once Gafgyt infects a targeted IoT device, the malware initiates DDoS attacks against requested targets. In this campaign researchers noticed three different kinds of DDoS attacks:

• Vseattack: Attack related to game servers running Valve Source Engine.
• sendHTTPHex: Type of HTTP flooding attack that uses nonsensical hexadecimal to consume resources on the targeted server.
• Ovhflood: Attack against services secured by OVH.

The functions shown in Figure 5 show the DDoS attacks seen in Gafgyt campaign after compromising Huawei & Asus routers.

The focus on vseattacks, which specifically target popular game servers, is particularly notable. Some of the games running on Valve Source Engine include Counter Strike, Team Fortress and Half-Life 2.³ The reason why game servers are a popular target for IoT botnets is due to the young age of many of these botnet creators. As we noted in the Hunt for IoT research series, script kiddies learn to build botnets from YouTube, then use their skills to DoS rival game servers as a way to sabotage or take revenge against other players.

Conclusion

This latest Gafgyt campaign shows that the malware is evolving and taking on techniques used by other malware authors. Those interested in building botnets don’t need to go far in order to find source code to create their own. Botnets for service are also common and easy to buy. They are advertised on a variety of platforms, including Instagram, and we recently wrote about the ease of compromising IoT devices, even for children.

Gafgyt, in particular, is a botnet that defenders should keep an eye on. Gafgyt’s campaigns are typically active for a long time, and it has continued to enhance its attack services and exploits for different devices. In order to stay in relevant in the IoT botnet world, it has expanded its list of rival bots, and removes them from targeted devices.

The Huawei routers being targeted by this variant/campaign are older routers. Researchers recommend replacing older routers to newer models, both for performance and security, and regularly updating newer routers to maximize protection. Most importantly, vendor default credentials should be disabled on all IoT systems (as Huawei recommended for CVE-2017-17215).

Security Controls

Enterprises and individuals should consider implementing the following security controls, depending on their specific circumstances (for a longer list of IoT hardening suggestions see the conclusion for the Hunt for IoT volume 4):