Researchers have uncovered a new variant of Gafgyt malware (aka BASHLITE) that infects home and small-office routers and networking equipment in order to recruit them into a botnet that bombards gaming servers with distributed denial of service attacks. One of its attacks involves a payload is specifically designed to attack servers running Valve Corporation’s Source video game engine.
Discovered last month by the Palo Alto Networks Unit 42 threat intelligence team, the new variant appears to be a modification of a previous variant called JenX. Like JenX, it can infect the Huawei HG532 model router and Realtek RTL81XX network drivers, but it also has the newly added capability of compromising the Zyxel P660HN-T1A.
The new Gafgyt variant finds these vulnerable Linux-based devices using online scanners and then recruits the equipment into their botnet by leveraging remote code execution exploits that pull binary code from a malicious server using the computer program wget. This binary forms a connection between the device and the C2 server, so the device can send IP address and architecture information about itself and the server can reply with a command to join the botnet and commence DDoS attacks.
The vulnerability used in the newly added Zyxel exploit is CVE-2017-18368, a command injection vulnerability in the router’s Remote System Log forwarding function.
The new Gafgyt variant is programmed with five attacks options, including the Valve Source Engine attack. The engine runs games including ‘Half-Life’ and ‘Team Fortress 2,’ states a Unit 42 blog post published today. “Note that this is not an attack on the Valve corporation itself because anyone can run a server for these games on their own network. It is an attack on the servers,” reports blog author and security researcher Asher Dahlia.
The special payload used in this attack creates a Distributed reflection Denial of Service (DrDoS). “The Source Engine Query is part of routine communications between clients and game servers using Valve software protocols,” according to the blog post. “Requests to victim host machines are redirected, or reflected, from the victim hosts to the target. As a consequence, they also elicit an amplified amount of attack traffic, causing a DoS on the target host.”
Others attack options include an HTTP flooding attack that calls the SendHTTP() function to launch the DDoS assault, and an “HTTPHex” attack that works similar to an HTTP flooding attack, only “it uses a garbage hexadecimal array to consume more resources on the server in an effort to exhaust all its resources,” explains Dahlia. A third option is an attack against Cloudfare-secured services.
The malware is also capable of killing competing malware by searching for certain keywords and binary names that are typically associated with other IoT botnets, including Mirai, Satori, JenX, Hakai and Miori.
Unit 42 discovered that the attackers behind the malware are selling their botnet services on Instagram, offering customers the opportunity to request set of IP addresses to cack for anywhere from $8 to $150. They also reportedly offered to sell the Gafgyt variant’s source code. Unit 42 said it reported the activity to Instagram.