Gayfemboy: A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit.

Jan. 8, 2025, 10:14 a.m.

Description

The Gayfemboy botnet, discovered in February 2024, has evolved from a simple Mirai derivative into a sophisticated large-scale botnet. It exploits a 0-day vulnerability in Four-Faith industrial routers and unknown vulnerabilities in other devices to spread. With over 15,000 daily active nodes across 40 grouping categories, it targets multiple countries and industries. The botnet's capabilities include self-updating, scanning, and various DDoS attack methods. It has shown aggressive behavior, retaliating against attempts to analyze it. The botnet's evolution demonstrates the persistent threat of DDoS attacks and the need for comprehensive defense strategies.

External References

https://blog.xlab.qianxin.com/gayfemboy-en
https://otx.alienvault.com/pulse/677e4945acd538e9f4a8577a
Tags
ddos
botnet
CVE-2024-12856
four-faith
2025-01-08
0-day
gayfemboy
industrial-router

Date

  • Created: Jan. 8, 2025, 9:45 a.m.
  • Published: Jan. 8, 2025, 9:45 a.m.
  • Modified: Jan. 8, 2025, 10:14 a.m.

Linked vulnerabilities

CVE-2024-12856

7.2
    Four-Faith router F3x24
  • Version(s): 2.0
    Four-Faith router F3x36
  • Version(s): 2.0
Published: December 27, 2024

CVE-2024-8956

9.1
    Ptzoptics
  • Pt30x-Sdi Firmware
  • Pt30x-Sdi
  • Pt30x-Ndi-Xx-G2 Firmware
  • Pt30x-Ndi-Xx-G2
Published: September 17, 2024

CVE-2024-8957

9.8
    Ptzoptics
  • Pt30x-Sdi Firmware
  • Pt30x-Sdi
  • Pt30x-Ndi-Xx-G2 Firmware
  • Pt30x-Ndi-Xx-G2
Published: September 17, 2024

Indicators

  • 209.141.57.222
  • 209.141.55.38
  • 209.141.35.56
  • 203.23.159.152
  • 152.32.237.129
  • 124.71.235.245
  • 123.249.94.157
  • 123.249.99.231
  • 123.249.91.159
  • 123.249.90.23
  • 123.249.82.229
  • 123.249.87.110
  • 123.249.82.162
  • 123.249.68.177
  • 123.249.64.207
  • 123.249.126.147
  • 123.249.116.81
  • 123.249.116.30
  • 123.249.109.227
  • 123.249.103.79
  • 108.233.83.51
  • 101.43.141.112
  • 1.13.102.222
  • 45.145.41.175
  • 123.249.111.22
  • 107.189.28.60
  • 101.42.158.190
  • 209.141.32.148
  • 185.16.39.37
  • 123.249.90.104
  • 178.211.139.105
  • 70.36.99.15
  • 95.214.54.53
  • 198.98.54.234
  • 178.211.139.196
  • 5.181.188.158
  • 193.34.214.123
  • 77.90.22.35
  • 178.211.139.241
  • 45.95.147.211
  • 37.114.63.100
  • 193.42.12.166
  • 209.141.51.21
  • 45.148.10.230
  • 77.90.22.10
  • 94.156.10.164
  • 94.156.10.163
  • 176.97.210.250
  • 45.142.122.187
  • 45.142.182.126
  • 209.141.32.195
  • 45.128.232.200
  • 193.32.162.34
  • 198.98.51.91
  • meowware.ddns.net
  • itns.net
Download all indicators here!

Attack Patterns

  • Gayfemboy
  • Mirai
  • Gayfemboy
  • T1587
  • T1571
  • T1016
  • T1070
  • T1547
  • T1082
  • T1595
  • T1102
  • T1046
  • T1036
  • T1498
  • T1027
  • T1190
  • T1059
  • CVE-2013-7471
  • CVE-2024-12856
  • CVE-2024-8957
  • CVE-2024-8956

Additional Informations

  • Singapore
  • Iran, Islamic Republic of
  • China
  • Germany
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America
  • Russian Federation