Security News > 2024 > August > New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining

Cybersecurity researchers have discovered a new variant of the Gafgyt botnet that's targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power.

The infected devices are corralled into a botnet capable of launching distributed denial-of-service attacks against targets of interest.

IoT Botnets like Gafgyt are constantly evolving to add new features, with variants detected in 2021 using the TOR network to cloak the malicious activity, as well as borrow some modules from the leaked Mirai source code.

The latest attack chains involve brute-forcing SSH servers with weak passwords to deploy next-stage payloads to facilitate a cryptocurrency mining attack using "Systemd-net," but not before terminating competing malware already running on the compromised host.

It also executes a worming module, a Go-based SSH scanner named ld-musl-x86, that's responsible for scanning the internet for poorly secured servers and propagating the malware to other systems, effectively expanding the scale of the botnet.

"This, combined with the fact that the threat actor's primary impact is crypto-mining rather than DDoS attacks, supports our claim that this variant differs from previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities."

News URL

https://thehackernews.com/2024/08/new-gafgyt-botnet-variant-targets-weak.html