Puzzling Gwmndy Botnet Focuses on Low-Volume Proxy Connections

gwmndy botnet fiberhome routers

After infecting Fiberhome routers, its sole purpose seems to be setting up SOCKS5 proxies.

An odd botnet has been spotted targeting Fiberhome routers, in a quest to add 200 of them per day to its botnet web.

That’s a low number in the world of botnets, according to 360 Netlab researchers, which observed a previously unknown malware strain called Gwmndy (after the attackers’ domain name) infecting the targets.

“Unlike the typical botnets which try their best to infect as many victims as they can, this one has pretty much stopped looking for new bots after its active daily bot number reaches the low 200s,” 360 Netlab researchers said in a blog post on Friday. “It seems that the author is satisfied with the number, which probably provides enough proxy service for whatever purpose he needs.”

And speaking of purpose, according to researchers, another strange aspect of the botnet is the fact that it eschews the normal botnet bag of tricks, and isn’t carrying out DDoS, cryptojacking, spamming, information-stealing or the like.

“Its only purpose is to set up the routers to be SSH tunneling proxy nodes,” the researchers explained — and there’s no indication of the purpose behind the effort.

According to the firm’s analysis, routers are infected by way of a malicious executable (in the Executable and Linkable Format, or ELF), which is likely delivered via one of many typical attack vectors.

“We didn’t see how Gwmndy malware spreads, but we know that some Fiberhome router web systems have weak passwords, and there are [remote code-execution] vulnerabilities,” the researchers said.

The ELF file, once installed on the target, periodically obtains router information, such as the local SSH port, shadow password, public IP address and MAC address; it then uploads that information to a remote web interface, “so the author can get ahold of the device even the router IP changes.”

The malware also establishes a backdoor on the device and an SSH tunnel for dynamic port forwarding, and creates a SOCKS5 proxy service locally.

“The attacker runs the dropbear program on the target router and adds the startup command to the /fh/extend/userapp.sh file,” according to the analysis. “It also tampers with the shadow file to add the backdoor account, and runs vpnip and an open-source port forwarder program, rinetd.”

Another proxy malware that uses SOCKS5 was found last week targeting users in Asia. Proofpoint researchers said on Thursday that in that case, exploit kits are being used to download one of many payloads (such as the Danabot banking trojan) and a SOCKS5 proxy called SystemBC, used on a victim’s Windows system to evade firewall detection of C2 traffic.

“Proxy malware is somewhat unusual – many types of malware set up their own proxy or use TOR for communications with their C2; others simply transmit data in the clear or encrypt data without using a proxy for transmission,” Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. “So dedicated proxy malware being downloaded alongside other malware that can use it is noteworthy in and of itself, as is its apparent use by multiple actors via EK.”

The sample obtained by 360 Netlab had hard-coded username and password, which allowed the researchers to access the Gwmndy web statistics page. There were 431 MAC addresses and 422 IP addresses recorded, located mainly in the Philippines and Thailand – indicating a highly targeted campaign. The infected hosts were all Fiberhome routers, model number AN5506.

To protect against this and other similar botnets, home broadband users should update their router software system to the latest version, and set up strong login credentials for the router.

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles