Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network.
Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.
In order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encrypts sensitive strings in the samples. The use of Tor by malware families is nothing new; however, researchers said they haven’t seen Gafgyt leveraging the anonymity network until now.
“Compared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking,” said researchers with NetLab 360 on Thursday. “The Tor-based C2 communication mechanism has been seen in other families we have analyzed before… but this is the first time we encountered it in the Gafgyt family.”
Gafgyt_tor Botnet: Propagation and New Functionalities
The botnet is mainly propagated through weak Telnet passwords – a common issue on internet of things devices – and through exploiting three vulnerabilities. These vulnerabilities include a remote code execution flaw (CVE-2019-16920) in D-Link devices; a remote code execution vulnerability in Liferay enterprise portal software (for which no CVE is available); and a flaw (CVE-2019-19781) in Citrix Application Delivery Controller.
Researchers said that the code structure of Gafgyt_tor’s main function – which adds the Tor proxy function to provide the IP server’s address – shows widespread changes.
“The original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection,” they said.
New Tor Capabilities, Commands
Within this large section of code exists tor_socket_init, a function that is responsible for initializing a list of proxy nodes with IP addresses and a port. Researchers said that over 100 Tor proxies can be built in in this way – and new samples are continually updating the proxy list.
“After initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port,” said researchers.
After it establishes a connection with the C2, the botnet requests wvp3te7pkfczmnnl.onion through the darknet, from which it then awaits commands.
“The core function of Gafgyt_tor is still DDoS attacks and scanning, so it mostly follows the common Gafgyt directive,” said researchers. They noted, a new directive called LDSERVER has been added to the botnet, which allows the C2 to quickly specify servers from which the payloads are downloaded. This allows attackers to quickly switch courses should an attacker-owned download server be identified and blocked, said researchers.
“This directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked,” said researchers,
Links to Freak Threat Actor, Other Botnets
Researchers said that the variant shares the same origin with the Gafgyt samples distributed by a threat group that NetLab 360 researchers call the keksec group, and that other researchers call the Freak threat actor. They said, the keksec group reuses code and IP addresses between various other bot families, including the Tsunami botnet as well as the Necro botnet family uncovered in January.
“We think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development,” said researchers. “In actual operation, they form different families of botnets, but reuse infrastructure such as IP address.”
Other Gafgyt Botnet Variants
Gafgyt.tor is only the latest variant of the popular botnet to come to light. In 2019, researchers warned of a new Gafgyt variant adding vulnerable IoT devices to its botnet arsenal and using them to cripple gaming servers worldwide.
In 2018, researchers said they discovered new variants for the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall; as well as a separate attack actively launching two IoT/Linux botnet campaigns, exploiting the CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers.
More recently, last year a botnet called Hoaxcalls emerged, as a variant of the Gafgyt family. The botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager.