Machines with unsecured SSH passwords have been brute-forced by a novel variant of the Gafgyt botnet, also known as Torlus, BASHLITE, and Lizkebab, to facilitate cryptomining with the XMRig malware and the impacted devices' GPU computational capabilities, according to The Hacker News.
Malicious payloads delivered following the brute-force attacks enabled XMRig deployment via "systemd-net" and the termination of other malware, as well as the execution of the Id-musl-x86 SSH scanner to facilitate malware spread, an analysis from Aqua Security showed. Further indication of the exploitation of targeted devices' GPU capabilities was the execution of the cryptocurrency mining malware with the --cuda and --opencl flags, the report said. "...[C]ombined with the fact that the threat actor's primary impact is cryptomining rather than DDoS attacks supports our claim that this variant differs from previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities," said Aqua Security researcher Assaf Morag.
