Gafgyt Malware Broadens Its Scope in Recent Attacks

Dec. 3, 2024, 11:03 p.m.

Description

Trend Micro researchers have identified threat actors exploiting misconfigured Docker servers to spread Gafgyt malware, traditionally known for targeting IoT devices. This shift in behavior involves attackers creating Docker containers based on legitimate 'alpine' images to deploy the malware. The attack sequence includes attempts to deploy various Gafgyt botnet binaries, with the potential to launch DDoS attacks on targeted servers. The malware uses hardcoded command-and-control server addresses and can perform DDoS attacks using multiple protocols. The attackers also employ privilege escalation techniques and attempt to discover local IP addresses. This new tactic represents a significant expansion of Gafgyt's targets beyond its usual scope.

External References

https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html
https://otx.alienvault.com/pulse/674f4adfccc98806a5625ff4
Tags
privilege-escalation
ddos
iot
botnet
gafgyt
docker
api
2024-12-03
lizkebab
container
bashlite

Date

  • Created: Dec. 3, 2024, 6:15 p.m.
  • Published: Dec. 3, 2024, 6:15 p.m.
  • Modified: Dec. 3, 2024, 11:03 p.m.

Indicators

  • f8388cba15175fa7fda8daacfd095972e1a96faaabeede411f99f42f71ae395b
  • f7004355f2bf653d3f055bc674822f99a8ff3692a02c1aec6b727a782e37b836
  • ed6c93faebd9a60e132f4f952a1b516e758ce0e445b225eb702dfd2c8c2db6c0
  • c1c03eab6bbca461f4a9dc7395103cdb0aa018563e835150c66228f3d7edadaa
  • b7f0ac1551ab58a1b84ba8e63dfc98dd126f7abe686137cbffc8ff95bfbac1ba
  • bb2bd8819045055af5295c23d1293b2d215fabe7dcf097813b9624ab98a13976
  • 6b385dc32daff689c1c448bf5f9151996abbac730e167a9cbfa9111591f253ea
  • a79a9653209c9d942dee0be597e04845fc5250880edcc5c3cb50110153925a03
  • 68c215494fd35e097bf76eb3886b95ec66fdc707ebcf10f221b4db4ac2cd6d70
  • 36ee47d10acbf8fbc7b16d4d237e2be567491b95dcd333856268c6c63a02f358
  • 19778568781fd397ee2415d0a3593ffcaff4f333cdc27e52a1b23e07de08fdb6
  • 156c85a09a1d5d753ce3fd128e0bb6097bb5b18e6cc0ffe6f9bc99a218a21ed9
  • 0b7e14e3305fd25b250ad494c014b0f8dfefaf0f3e8413bd797db12dd2eb9d8c
  • 178.215.238.31
  • 178.215.238.24
  • http://178.215.238.31/bins/atlas.sh4
  • http://178.215.238.31/bins/atlas.mips
  • http://178.215.238.31/bins/atlas.mipsel
  • http://178.215.238.31/bins/atlas.m68k
  • http://178.215.238.31/bins/atlas.i686
  • http://178.215.238.31/bins/atlas.i586
  • http://178.215.238.31/bins/atlas.arm7
  • http://178.215.238.31/bins/atlas.arm6
  • http://178.215.238.31/bins/atlas.arm5
  • http://178.215.238.31/bins/atlas.arm4
Download all indicators here!

Attack Patterns

  • Lizkebab
  • Bashlite
  • Gafgyt