GPU Crypto Mining: The Latest Threat from Gafgyt Botnet
Experts at Aqua Security have discovered a new variant of the Gafgyt botnet, which is actively targeting servers with weak SSH passwords operating in cloud environments. The malware exploits the computational power of the compromised devices’ GPUs for cryptocurrency mining.
The Gafgyt botnet (also known as BASHLITE, Lizkebab, Torlus) has been active since 2014 and gained notoriety for its ability to exploit weak or default passwords to gain control over routers, cameras, and DVRs. Gafgyt’s arsenal also includes tools to exploit known vulnerabilities in devices from Dasan, Huawei, Realtek, SonicWall, and Zyxel. Once compromised, these devices become part of a botnet capable of launching DDoS attacks.
The new version of the Gafgyt botnet uses brute-force attacks to compromise SSH servers with weak passwords, after which it launches cryptocurrency miners using the “systemd-net” module. Before doing so, the botnet terminates any competing malware already running on the compromised machine to monopolize the system’s resources.
Additionally, Gafgyt employs a worm written in Go, which scans the internet for poorly secured servers and infects them, thereby expanding the botnet’s reach. The worm scans SSH, Telnet, and credentials associated with game servers and cloud environments like AWS, Azure, and Hadoop.
The primary objective of the attackers is to deploy the XMRig miner, which mines Monero cryptocurrency. In this case, the attackers utilize the –opencl and –cuda flags to leverage the GPU’s computational power.
This new version of the botnet differs from its predecessors by targeting cloud environments with powerful CPUs and GPUs, rather than focusing on DDoS attacks. According to Shodan, there are more than 30 million SSH servers accessible on the internet, underscoring the need for measures to protect against brute-force attacks and potential breaches.
Notably, after the onset of the pandemic, between December 14 and 31, 2020, experts identified a total of 18,000 unique hosts and approximately 900 unique payloads. The most common infections were by the Gafgyt and Mirai malware families, which accounted for 97% of the 900 payloads.
