Mirai-based botnet campaign "Gayfemboy" also active in Germany

A disguised malware strand from the "Mirai" botnet family has caught the attention of IT researchers at Fortinet. They call the botnet "Gayfemboy". It attacks vulnerabilities in products from Cisco, DrayTek, Raisecom and TP-Link. The malware has some interesting features.

According to Fortinet's analysis, the analysts came across a malware sample in July that can abuse several vulnerabilities. The "Gayfemboy" campaign is active in several countries – Brazil, Germany, France, Israel, Mexico, Switzerland, USA and Vietnam. The industries targeted include manufacturing, technology, construction, media and communications. They were able to download malicious downloader scripts, Gayfemboy malware and XMRig coin miners from the contacted addresses. The downloader scripts contain manufacturer and product names such as "asus", "vivo", "zyxel" or "realtek", which they then use as parameters in requests.

Camouflage and deception

The analyzed sample was packed with the UPX packer, but its header "UPX!" was replaced by non-printable characters in hexadecimal code "10 F0 00 00" – to prevent easy detection. After execution, the malware examines the paths of each process in "/proc/[PID]/exe" to find out information about running processes and their locations in the file system. There, the malware searches for specific keywords related to other malware – and terminates the processes to remove competing infections.

Gayfemboy has four main functions: Monitor, Watchdog, Attacker and Killer. Monitor monitors threads and processes. It lets 47 strings to commands into memory and scans all entries in "/proc/[PID]/cmdline". If there is a match, it terminates the associated process. These commands include "ls -l", "reboot", "wget" and many more. Monitor is used for self-preservation and sandbox detection. If Gayfemboy recognizes that the malware process has been terminated, it restarts it. Due to a delay of 50 nanoseconds, the malware detects a sandbox – which cannot handle such a finely granulated delay, causing the called function to fail and the malware to "misinterpret" the result and activate a 27-hour sleep of the malware.

The watchdog function registers the UDP port 47272 and if this fails, the malware assumes that another instance of the watchdog is already running. It then connects the port to localhost (127.0.0.1:47272) and sends a packet with the timestamp and PID. If the malware sends this message more than nine times without receiving a response, it concludes that the malware is no longer responding or has been compromised and terminates itself.

The Attacker function works on the outside. It is responsible for launching DDoS (Distributed Denial of Service) attacks and enables backdoor access. It provides various attack methods. Fortinet lists UDP flood, UDP bypass, TCP flood, TCP SYN flood, ICMP flood, heartbeat and the backdoor module. The trigger for activating the backdoor in Gayfemboy is the character string "meowmeow". The malware attempts to establish a connection to the command-and-control server. To resolve the specified domains, it uses public DNS servers such as 1.1.1.1, 8.8.8.8 or 8.8.4.4, bypassing local filtering if necessary.

The analysis also contains numerous indicators of compromise (IOCs), which IT managers can use to check whether machines in their networks may be infected.

The Mirai botnet itself attacked Samsung MagicINFO-9 servers in May.

(dmk)