Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments

Age
5 months ago
Threat Information
Summary

A new variant of the Gafgyt botnet has been discovered by Aqua Nautilus researchers, targeting machines with weak SSH passwords to expand the botnet and mine cryptocurrency using GPU power. Initially known for targeting IoT devices like routers and cameras, Gafgyt has evolved to attack more robust servers in cloud-native environments. The attack flow involves brute-forcing SSH passwords, executing binaries in memory, and conducting system checks to eliminate competing malware. The malware includes components masquerading as legitimate system files, and uses GPU capabilities for cryptomining. The campaign leverages exposed SSH services, highlighting the need for strong authentication practices. Aqua Security's platform detected the attack in real-time, illustrating the effectiveness of runtime protection in mitigating such threats.

How BlueRock Helps

The Gafgyt malware variant begins its attack by brute-forcing weak SSH passwords to gain initial access to target machines. BlueRock's SSH Deep Auth & SSH Least Privilege mechanism effectively mitigates this step by enforcing strong authentication practices and limiting SSH access to only necessary users, thereby reducing the attack surface. Once access is gained, the attacker executes shell commands to prepare the server for further exploitation. Here, BlueRock's Container Drift Protection (Binaries & Scripts) comes into play by preventing unauthorized executables and scripts from running, thus blocking the execution of malicious binaries that are not part of the original container image. This mechanism ensures that any attempt to execute unauthorized code is thwarted, protecting the system from further compromise.

MITRE ATT&CK Techniques Inferred
  • T1110.001: Brute Force: Password Guessing: The attacker initially gained access to the target machine by brute forcing SSH credentials, which were weak. This is evident from the statement: 'In this attack we see a successful brute force attempt on our SSH honeypot which is configured with a very weak password.'
  • T1059.004: Command and Scripting Interpreter: Unix Shell: Once access was gained, the attacker executed shell commands to inspect and prepare the server. This is shown in the article: 'Once access is gained a few commands to inspect and prepare the server are executed.'
  • T1082: System Information Discovery: The attacker conducted system discovery to check if the machine was already infected and to identify any competing malware. This is highlighted by: 'A few checks are conducted mainly to determine if the machine has already been infected by this variant of Gafgyt and to check if another malware is running and if so to kill it.'
  • T1055.001: Process Injection: Dynamic-link Library Injection: The attacker used two binaries that were executed in memory to avoid detection, as indicated by: 'Next the two binaries are executed in memory.'
  • T1496: Resource Hijacking: The attacker executed a cryptomining operation using the XMRIG cryptominer, as described: 'Executing the cryptominer: Figure 4: Executing the XMRIG cryptominer.'
  • T1490: Inhibit System Recovery: The attacker modified system configurations to optimize performance and security, such as altering the /etc/sysctl.conf file. This is noted in: 'Configuration alteration: Figure 6: Modifying configurations /etc/sysctl.conf.'
  • T1070.003: Indicator Removal: Clear Command History: The attacker deleted history and log files to evade detection, as indicated by: 'Lastly history and logs files are deleted to evade detection.'
  • T1036.005: Masquerading: Match Legitimate Name or Location: The attacker used masquerading techniques to make their binaries appear as legitimate system components, as noted: 'The names of these binaries indicate that the threat actors are putting emphasis on defense evasion as these names are masquerading as legitimate components related to the Linux operating system environment.'
  • T1105: Ingress Tool Transfer: The attacker downloaded a brute force configuration file from a command and control (C2) server, as shown: 'The function backgroundlogic in the malware is set to download from the threat actor’s server (at 107.189.5.210) the file 1.txt, which is a brute force configuration file containing 179 sets of users and passwords.'

Fact-Based Attack Chains
F1: Initial compromise via SSH brute-force followed by system preparation and payload execution from memory.
  • Attacker identifies an internet-connected server with SSH exposed. (Cited from: "internet connected SSH", "Shodan ... uncovered more than 30 million internet connected instances")
  • BR-43: System Logging - This mechanism logs system events, which could potentially include network scanning activity if configured appropriately, aiding in post-incident forensics.
  • Attacker successfully performs a brute force attack against the SSH service using weak credentials. (Cited from: "successful brute force attempt on our SSH honeypot which is configured with a very weak password", "initial access is gained by brute forcing to an internet connected SSH with weak password")
  • BR-53: SSH Deep Auth & SSH Least Privilege - This mechanism is applicable because it enhances SSH security beyond simple passwords by using ephemeral certificate-based authentication and cryptographically signed tokens, preventing brute-force success even with weak passwords.
  • BR-43: System Logging - This mechanism logs system events, including failed and successful login attempts, which helps in detecting brute-force attacks.
  • Once SSH access is gained, the attacker executes initial shell commands to inspect the server. (Cited from: "executes some shell commands via the SSH connection", "Once access is gained a few commands to inspect and prepare the server are executed")
  • BR-55: Reverse Shell Protection - This mechanism is applicable if the attacker attempts to use shell commands to establish a reverse shell connection, as it blocks the binding of shell STDIN/STDOUT/STDERR to network sockets.
  • BR-43: System Logging - This mechanism is applicable because it logs process creation events, capturing the execution of shell commands for forensic analysis.
  • BR-90: Process Exec Deny - This mechanism could apply if specific shell commands or utilities used for inspection (like curl, wget) are explicitly denied execution.
  • BR-88: Process Path Exec Allow - This mechanism could apply if the attacker attempts to execute inspection tools from a path not on the allowlist.
  • Attacker performs checks to determine if the machine is already infected with this Gafgyt variant or running competing malware. (Cited from: "determine if the machine has already been infected by this variant of Gafgyt", "check if another malware is running and if so to kill it")
  • BR-43: System Logging - This mechanism is applicable as it logs process discovery (T1057) and execution events, aiding in detecting reconnaissance activities.
  • BR-60: Deep Forensics - This mechanism is applicable as it can capture process trees and other forensic data upon detecting suspicious activity, helping analyze discovery steps.
  • BR-88: Process Path Exec Allow - This mechanism could block discovery tools if executed from disallowed paths.
  • BR-90: Process Exec Deny - This mechanism could block specific discovery tools if their names are on the deny list.
  • Attacker terminates processes associated with potential competing malware. (Cited from: "Killing competition")
  • BR-43: System Logging - This mechanism is applicable because it logs process termination events.
  • BR-83: Syscall Deny Filter - This mechanism could potentially be configured to deny the kill syscall, preventing the termination of processes.
  • BR-30: Process Credential Protection - This mechanism could prevent the attacker from gaining the necessary privileges to terminate other processes.
  • BR-88: Process Path Exec Allow - This mechanism could block the execution of the kill command or related tools if run from a disallowed path (though unlikely for standard tools).
  • BR-90: Process Exec Deny - This mechanism could block the execution of the kill command if explicitly denied.
  • Attacker transfers two primary payloads (ELF binaries) to the compromised host via the established SSH connection. (Cited from: "transfers the main payloads", "2 payloads are passed via the newly established SSH connection")
  • BR-53: SSH Deep Auth & SSH Least Privilege - This mechanism applies by potentially preventing the initial SSH access required for the transfer.
  • BR-43: System Logging - This mechanism logs system events, which might include file creation/modification if configured, providing forensic evidence of the transfer.
  • The first payload, identified as a Gafgyt SSH scanner (ld-musl-x86), is dropped into memory (/dev/shm) and executed. (Cited from: "two ELF files dropped to memory (/dev/shm)", "The first one is ld-musl-x86 ... detected in Virus Total (VT) as Gafgyt SSH scanner", "Executing the worm")
  • BR-54: Container Drift Protection (Binaries & Scripts) - This mechanism is directly applicable because it prevents the execution of any binary (like ld-musl-x86) that was not part of the original container image, especially when executed from a non-standard path like /dev/shm.
  • BR-88: Process Path Exec Allow - This mechanism is applicable because it would block the execution of the binary if /dev/shm is not configured as an allowed execution path.
  • BR-85: Ephemeral Filesystem Behavior Analysis - This mechanism is applicable as it specifically detects and alerts on script/binary execution from memory-backed filesystems like /dev/shm.
  • BR-43: System Logging - This mechanism logs the process execution event.
  • BR-90: Process Exec Deny - This mechanism could apply if a policy denies execution based on the binary name or path suffix.
  • The second payload, identified as an XMRig cryptominer (systemd-net), is dropped into memory (/dev/shm) and executed with flags (--cuda, --opencl) indicating GPU usage. (Cited from: "The second one is systemd-net ... detected in VT as an XMR cryptominer", "Executing the cryptominer", "execution code of the miner includes the flags --cuda and --opencl")
  • BR-54: Container Drift Protection (Binaries & Scripts) - This mechanism is directly applicable because it prevents the execution of any binary (like systemd-net) that was not part of the original container image, especially when executed from /dev/shm.
  • BR-88: Process Path Exec Allow - This mechanism is applicable because it would block the execution of the binary if /dev/shm is not configured as an allowed execution path.
  • BR-85: Ephemeral Filesystem Behavior Analysis - This mechanism is applicable as it specifically detects and alerts on script/binary execution from memory-backed filesystems like /dev/shm.
  • BR-43: System Logging - This mechanism logs the process execution event.
  • BR-90: Process Exec Deny - This mechanism could apply if a policy denies execution based on the binary name or path suffix.
  • Attacker modifies the /etc/sysctl.conf file to potentially alter kernel parameters for performance or evasion. (Cited from: "Modifying configurations /etc/sysctl.conf")
  • BR-75: Critical Directory Write Protection - This mechanism is applicable if /etc or specifically /etc/sysctl.conf is configured as a critical directory, as it would block unauthorized write attempts.
  • BR-25: Read-Only File Protection - This mechanism could apply if /etc/sysctl.conf were marked as read-only and the modification attempt used a pipe-based technique, although this specific file is typically writable by root.
  • BR-24: File Operations Protection - This mechanism monitors file operation data structures and could detect tampering related to file modification.
  • BR-43: System Logging - This mechanism can log file modification events, providing forensic evidence.
  • BR-31: Privileged Inode Protection - This mechanism could apply if the modification involves changing inode attributes like permissions in an unauthorized way.
  • BR-46: DirtyCred Protection - This mechanism monitors for unauthorized writes to read-only files, which might be relevant if the attacker uses a DirtyCred-like exploit to gain write access.
  • Attacker deletes command history and log files to cover tracks and evade detection. (Cited from: "history and logs files are deleted to evade detection", "History deletion")
  • BR-75: Critical Directory Write Protection - This mechanism is applicable if log directories (e.g., /var/log) or user home directories containing history files are configured as critical, blocking deletion/modification.
  • BR-91: Sensitive File Access - This mechanism is applicable if specific history files (e.g., ~/.bash_history) or log files are configured as sensitive, blocking access attempts.
  • BR-24: File Operations Protection - This mechanism monitors file operations and could detect unauthorized deletion attempts.
  • BR-43: System Logging - This mechanism logs events; while the attacker aims to delete logs, the logging itself provides a record up to the point of deletion, and centralized logging can preserve logs off-host.
  • BR-52: Data Resource Mandatory Access Control - This mechanism could apply if log directories/files are defined as critical data resources and the deletion tool is not an allowed binary.
F2: Propagation and targeting phase of the Gafgyt variant, involving credential fetching, scanning, and specific targeting of cloud-native environments.
  • The executed Gafgyt binary (ld-musl-x86) contacts a hardcoded C2 server IP address (107.189.5.210). (Cited from: "C2 IP address hard coded in Gafgyt", "The function backgroundlogic in the malware is set to download from the threat actor’s server (at 107.189.5.210)")
  • BR-87: Process Socket Deny - This mechanism is applicable because it can prevent the ld-musl-x86 process from initiating outbound network connections if it's not on the allow list.
  • BR-43: System Logging - This mechanism can log network connection attempts if configured, aiding forensics.
  • The malware downloads a configuration file (1.txt) containing a list of username/password pairs for brute-forcing. (Cited from: "download from the threat actor’s server ... the file 1.txt, which is a brute force configuration file containing 179 sets of users and passwords")
  • BR-87: Process Socket Deny - This mechanism is applicable as it can block the network connection needed for the download if the malware process is not allowed.
  • BR-80: Tainted File Download Protection - This mechanism might apply if the download is performed by wget or curl (though the article implies the malware does it directly) and if the file were mistakenly identified as code (unlikely for a credential list).
  • BR-43: System Logging - This mechanism can log network activity and file creation.
  • BR-90: Process Exec Deny - This mechanism could apply if the download is attempted using a denied tool like wget or curl.
  • The downloaded credential list includes usernames targeting general Linux systems (admin, app), gaming servers (counterstrike, minecraft), IoT devices (nvidia, raspberrypi), and specifically cloud-native environments (Hadoop, AWS, Azure, Ansible, devops). (Cited from: "In the general purpose you can see usernames such as admin, app...", "Under the gaming classification you can observe usernames such as counterstrike or minecraft", "Under IoTs you can see nvidia, raspberrypi...", "In the cloud native category, we observe Hadoop, AWS, Azure, Ansible, devops...")
  • The Gafgyt malware uses the obtained credential list to scan the internet for exposed SSH and Telnet services. (Cited from: "scanning the internet for exposed SSH and Telnet services")
  • BR-87: Process Socket Deny - This mechanism is applicable as it can prevent the malware process from initiating the outbound connections required for scanning if it's not on the allow list.
  • BR-43: System Logging - This mechanism can log network scanning activity.
  • Upon finding potential targets, the malware conducts brute-force attacks using the credential list. (Cited from: "conducting brute force")
  • BR-87: Process Socket Deny - This mechanism is applicable as it can prevent the malware process from making outbound connections to target SSH/Telnet services if not allowed.
  • BR-53: SSH Deep Auth & SSH Least Privilege - This mechanism applies to the targets of the brute-force attack, making them resilient even if scanned.
  • BR-43: System Logging - This mechanism can log the outbound connection attempts.
  • The malware inspects potential victims to verify they are real servers and not honeypots before initiating infection. (Cited from: "inspecting the findings and initiating infection", "using various checks to establish that this is a real server with the service running probably to avoid infecting low interaction honeypots")
  • BR-87: Process Socket Deny - This mechanism is applicable as it can block the network connections needed for inspection if the malware process is not allowed.
  • BR-43: System Logging - This mechanism can log the inspection activities.
  • Successfully compromised machines are infected, becoming part of the botnet to repeat the scanning and infection cycle. (Cited from: "initiate similar attack", "the honeypot becomes a part of the botnet, scanning the internet")
  • BR-53: SSH Deep Auth & SSH Least Privilege - Protects the new victim from the initial brute-force.
  • BR-54: Container Drift Protection (Binaries & Scripts) - Prevents payload execution on the new victim.
  • BR-88: Process Path Exec Allow - Prevents payload execution from disallowed paths on the new victim.
  • BR-85: Ephemeral Filesystem Behavior Analysis - Detects payload execution from memory on the new victim.
  • BR-87: Process Socket Deny - Prevents the newly infected bot from scanning/propagating further.
  • Simultaneously, the XMRig cryptominer (systemd-net) utilizes the host's CPU and GPU resources (indicated by --cuda and --opencl flags) to mine cryptocurrency (Monero). (Cited from: "Executing the XMRIG cryptominer", "The cryptominer in use is XMRIG, a Monero cryptocurrency miner", "run a cryptominer using the --opencl and --cuda flags, which leverage GPU and Nvidia GPU computational power")
  • BR-54: Container Drift Protection (Binaries & Scripts) - Prevents the execution of the cryptominer if it wasn't in the original image.
  • BR-88: Process Path Exec Allow - Prevents execution if the miner is run from a disallowed path like /dev/shm.
  • BR-85: Ephemeral Filesystem Behavior Analysis - Detects execution from memory-backed filesystems.
  • BR-43: System Logging - Logs the execution of the cryptominer process.
  • BR-87: Process Socket Deny - Can prevent the cryptominer from communicating with its mining pool if the process is not allowed network access.
  • BR-90: Process Exec Deny - Could block the miner if its name/path matches a deny rule.
  • The use of GPU mining flags and cloud-specific usernames indicates a shift in targeting towards more powerful servers, including those in cloud-native environments, rather than solely traditional low-power IoT devices. (Cited from: "supports our claim that this variant differs from previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities")

See Blue Rock In Action