Chainxin X Lab researchers have discovered a new botnet, dubbed Gayfemboy, that is spreading intensively. The malware mainly targets routers and connected devices.
Among the botnet's favorite targets are routers from the brands Four-Faith, Neterbit, and connected objects oriented towards home automation and smart homes from Vimar. Targets also include routers from Asus, LB-Link, and Huawei.
Zero-day vulnerabilities exploited
In order to take control of these devices, the botnet exploits zero-day security vulnerabilities. These are vulnerabilities that have not yet been discovered, let alone corrected by developers. This is a godsend for cybercriminals. According to experts, Gayfemboy relies on more than 20 different vulnerabilities.
The hackers are exploiting one vulnerability that was finally discovered last month, well after the botnet began using it. The flaw allows attackers to exploit the router’s default credentials to execute commands remotely without any authentication. In fact, they take full control of the router. According to the latest news, this vulnerability affects more than 15,000 Four-Faith routers.
A variant of the Mirai botnet
The Gayfemboy botnet is based on the source code of Mirai, a formidable malware first identified in 2016. Initially, it mainly targeted IoT (Internet of Things) devices, such as connected cameras, routers, and other smart devices, relying on default credentials or weak passwords. It is known to wipe out competing malware on infected devices to monopolize all resources.
The source code was quickly made public by its creators, which allowed other cybercriminals to modify it and create deadly variants, such as Mozi, Okiru, or Satori.
Active since early last year, the Gayfemboy botnet is mainly active in China, the United States, Russia, Turkey and Iran. The network currently includes 15,000 infected devices, scattered across these different countries. It spreads in intermittent waves.
This is not the only Mirai variant spreading around the world. A few days ago, cybersecurity researchers at Fortinet identified a sharp increase in infections by Ficora, another version of Mirai specifically designed to exploit vulnerabilities in D-Link routers.
The starting point for DDoS attacks
Mirror to Ficora, the new botnet identified by Chainxin X Lab uses compromised devices to orchestrate DDoS (Distributed Denial of Service) attacks. Through the network of hacked terminals, the botnet will flood the servers of the targeted website with a mountain of requests. This wave of requests will temporarily paralyze the targeted site.
As a general rule, Gayfemboy botnet attacks do not last long. They do not exceed 30 seconds, but they are particularly powerful. Even the most robust servers are at risk of collapsing under the attack of the pirate network. Victims are mainly located in China, the United States, Germany, the United Kingdom and Singapore, and are part of a variety of sectors.
Every day, the network of devices compromised by Gayfemboy attacks hundreds of different entities, according to the Chainxin X Lab report. The number of attacks has especially exploded between October and November 2024.
Source: Chainxin X Lab
0 Comments