Hackers have set up a botnet based on exploitation of a zero day in Four-Faith industrial routers.
Threat actors used a zero-day to take over routers made by the undustrial network specialist to create a botnet actor known as “gayfemboy.”
EDITOR'S NOTE: SCworld supports the LBGTQ+ community and the name of this botnet is only used for educational purposes.
Researchers with Qianxin XLab uncovered the botnet targeting industrial systems via various authentication vulnerabilities and telnet credentials, some of them being discovered by the attackers themselves.
“Countless script kiddies, dreaming of getting rich, rush into the DDoS black-market industry armed with Mirai source code, imagining they can make a fortune with botnets,” XLab explained.
“Reality, however, is harsh — these individuals arrive full of ambition but leave in dismay, leaving behind a series of Mirai variants that survive no more than 3–4 days.”
What set this threat actor apart, however, was its ambition. Rather than just rely on automated tools and pre-written exploits and botnet code, the team in question went out on its own to find vulnerabilities in the routers to exploit.
The result was a botnet that, while based on code from the Mirai malware, operates with a unique behavior and is difficult to detect and counteract upon first contact. The devices can be ordered to flood the target with traffic requests and create DDoS conditions.
“We registered several C2 domains to observe infected devices and measure the botnet’s scale,” said XLab.”
“Our findings revealed that Gayfemboy operates with over 40 grouping categories and has more than 15,000 daily active nodes.”
The botnet will be particularly hard to get rid of as the infected routers tend to be industrial hardware that is handled on a “set and forget" basis. Operators will often install the routers and, barring an outage, leave them alone without maintaining firmware updates and security patches.
This makes such devices easy prey for attackers and can result in the creation of botnets from devices that were not thought to be vulnerable. While not sophisticated, the malware code can be effective in executing a few basic commands to flood a target with requests.
“It can launch large-scale traffic attacks instantly using distributed botnets, malicious tools, or amplification techniques, depleting, disabling, or interrupting the target network's resources. As a result, DDoS has become one of the most common and destructive forms of cyberattacks,” noted XLab.
“Its attack modes are diverse, attack paths are highly concealed, and it can employ continuously evolving strategies and techniques to conduct precise strikes against various industries and systems, posing a significant threat to enterprises, government organizations, and individual users.”
