Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Gafgyt

119
Global rank
82 infographic chevron month
Month rank
61 infographic chevron week
Week rank
0
IOCs

Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks.

Botnet
Type
Unknown
Origin
1 September, 2014
First seen
10 December, 2024
Last seen
Also known as
BASHLITE
LizardStresser
Torlus

How to analyze Gafgyt with ANY.RUN

Type
Unknown
Origin
1 September, 2014
First seen
10 December, 2024
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 263
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1376
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1819
comments 0

What is Gafgyt malware?

Gafgyt, also known as BASHLITE, LizardStresser, and Torlus, is a malware family that targets Linux-based IoT devices such as routers and IP cameras. It is known for its botnet capabilities, which allow it to conduct DDoS attacks and perform other malicious activities.

Gafgyt has been active since at least 2014, when it was initially named Bashdoor. Over the years, it has been responsible for multiple high-profile DDoS attacks. For instance, in 2019, the botnet was used to disrupt the operations of Valve Source Engine and games like Fortnine by targeting their servers.

The prevalence of this malware can be attributed to the fact that its original code was exposed to the public in 2015. Since then, different threat actors have used it to build their own strains of the malware and employed them in numerous attacks.

Gafgyt execution process

We can study the behavior of Gafgyt on an infected system by analyzing its sample in ANY.RUN’s cloud malware sandbox.

We are going to use an .elf file sample, which is an executable format on Linux systems commonly used by attackers to distribute Gafgyt. View the analysis session by following this link.

Gafgyt analysis in ANY.RUN Gafgyt analysis in ANY.RUN

After launching the analysis, the service instantly detects Gafgyt and starts to record all of its malicious activities.

When looking at the Connections tab, we can see how the infected machine joins a botnet and participates in a DDoS attack. Specifically, the sandbox shows how the machine begins making thousands of connections.

Gafgyt analysis in ANY.RUN ANY.RUN also provides the Suricata rule which was used to detect Gafgyt

When exploring the Threats tab, we can observe the Suirata rules which were triggered during the analysis process. We can click on each one to access more details.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Gafgyt malware technical details

Gafgyt is written in C programming language. It uses a modular structure, which allows it to dynamically load and execute plugins. Interestingly, some of the versions of Gafgyt utilize code originally found in the Mirai malware, including TCP and HTTP flooding modules.

The primary way used by Gafgyt to hijack IoT devices is through brute forcing. The malware has a hard-coded list of default Telnet and SSH credentials which it employs in its attempts to penetrate devices.

Another method of infecting devices utilized by Gafgyt is through vulnerabilities. For instance, CVE-2017-18368 is one of the flaws exploited by the malware to target Zyxel routers. It is possible because of a lack of proper input validation in the Remote System Log forwarding function.

CVE-2023-1389 is another vulnerability abused by the most recent variants of Gafgyt. It is present on TP-Link Archer devices and once again involves the execution of an unauthorized malicious command that can be added to the country form in the web management interface.

After infecting the device, Gafgyt usually downloads a script from a pre-configured address and launches it. After collecting the device’s IP address and system information, it connects to its command-and-control server (C2).

Next, the C2 may send instructions to the malware which usually include engaging in different types of flooding attacks on specified targets.

The malware uses a combination of symmetric and asymmetric encryption for its communication.The malware's C2 servers are typically hosted on compromised devices.

Some versions of Gafgyt also have a persistence mechanism that allows it to survive device reboots.

Gafgyt malware distribution methods

Unlike botnet malware such as Socks5Systemz that spreads via loaders, Gafgyt is usually distributed through exploitation of security flaws in IoT devices. This can include devices with open Telnet or SSH ports, devices with default or weak credentials, and devices that have not been patched for known vulnerabilities.

It also has a self-propagation mechanism, which allows it to spread to other devices without any user interaction. This is typically done by scanning the internet for devices with open ports and attempting to gain access using default credentials.

The malware can also be distributed through malicious downloads. This can occur when a user downloads and executes a file from an untrusted source, such as a malicious website or email attachment.

How to analyze BASHLITE malware

Despite being decade-old, Gafgyt continues to be a considerable threat. It is particularly serious for organizations with Linux-based infrastructure. Protecting against a Gafgyt infection requires a combination of security measures, including strong unique passwords and timely patching.

To understand how Gafgyt and other malware operate, as well as to collect indicators of compromise, use ANY.RUN’s interactive sandbox.

The service is invaluable for malware analysts and SOC professionals, as it:

  • Detects threats in files and links in under 40 seconds.
  • Lets you interact with the samples and the system just like with a standard computer.
  • Offers customizable Windows and Linux virtual machines.
  • Generates comprehensive threat reports.
  • Exposes all malicious network, registry, & files activity and processes.

With ANY.RUN, you can strengthen your security posture.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More