Skip to Navigation Skip to Content

Pricing
Login

Solutions
Products
Resources
Company
Partners
Blog
Start Now

March 15, 2021 • Ofir Ashman

New Gafgyt Botnet TOR Variant Targets D-Link and IoT Devices

4Min read • Botnets, tor, gafgyt

The Gafgyt IoT botnet has been around for 7 years already, boasting many different variants over time. Also known as BASHLITE, this botnet has become notorious for launching DDoS attacks, making it almost as well-known as famous botnets such as Mirai in recent years. In 2018, two Gafgyt variants were detected, targeting Apache Struts and SonicWall vulnerabilities. Over the next year, Gafgyt started targeting vulnerable internet of things devices, wreaking havoc on gaming servers all over the world.

Recently, a new variant dubbed Gafgyt_tor by researchers was discovered. Although its main purpose is still DDoS, this new version has upped its evasion tactics, and is the first variant to use the Tor network to conceal its malicious activity. Weak Telnet passwords allow the cyber attackers behind the botnet to deploy their infections. This type of password exploitation is a widely known issue on IoT devices. In addition, the hackers exploit three vulnerabilities to deploy their attacks:

A remote code execution vulnerability in D-Link devices - CVE-2019-16920
A Lifespray enterprise portal software remote code execution vulnerability (no CVE available)
A vulnerability in Citrix Application Delivery Controller - CVE-2019-19781

The new variant’s main function, establishing a Tor connection, has replated the original initConnection() function which was used to establish communication with the botnet’s C2 servers. This way, Gafgyt_tor can hide its activity when it calls home. The new botnet variants is suspected to be built by the same threat actor that has been distributing previous variants, dubbed Freak threat actor or keksec group.

ThreatSTOP customers are automatically protected from threats like Gafgyt botnet through blocking the IP addresses for the C2 servers, and/or blocking the domains being used, which may be newly registered or observed. If you are not yet a ThreatSTOP user, we recommend blocking the IOCs below.

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a Demo

Indicator	Type	Details
wvp3te7pkfczmnnl.onion	Domain	C2 Server
45.145.185.83	IPv4	Download
45.153.203.124	IPv4	Download
91.236.251.131	IPv4	Tor Proxy
66.42.34.110	IPv4	Tor Proxy
52.47.87.178	IPv4	Tor Proxy
5.167.53.191	IPv4	Tor Proxy
35.192.111.58	IPv4	Tor Proxy
35.189.88.51	IPv4	Tor Proxy
34.239.11.167	IPv4	Tor Proxy
3.91.139.103	IPv4	Tor Proxy
188.68.52.220	IPv4	Tor Proxy
188.166.82.232	IPv4	Tor Proxy
18.229.49.115	IPv4	Tor Proxy
18.191.18.101	IPv4	Tor Proxy
130.193.56.117	IPv4	Tor Proxy
107.20.204.32	IPv4	Tor Proxy
104.155.207.91	IPv4	Tor Proxy
103.125.218.111	IPv4	Tor Proxy
103.82.219.42	IPv4	Tor Proxy
104.224.179.229	IPv4	Tor Proxy
111.90.159.138	IPv4	Tor Proxy
116.202.107.151	IPv4	Tor Proxy
116.203.210.124	IPv4	Tor Proxy
119.28.149.37	IPv4	Tor Proxy
128.199.45.26	IPv4	Tor Proxy
134.122.4.130	IPv4	Tor Proxy
134.122.59.236	IPv4	Tor Proxy
134.209.230.13	IPv4	Tor Proxy
134.209.249.97	IPv4	Tor Proxy
135.181.137.237	IPv4	Tor Proxy
138.68.6.227	IPv4	Tor Proxy
139.162.149.58	IPv4	Tor Proxy
139.162.32.82	IPv4	Tor Proxy
139.162.42.124	IPv4	Tor Proxy
139.99.239.154	IPv4	Tor Proxy
142.47.219.133	IPv4	Tor Proxy
143.110.230.187	IPv4	Tor Proxy
145.239.83.129	IPv4	Tor Proxy
146.59.156.72	IPv4	Tor Proxy
146.59.156.76	IPv4	Tor Proxy
146.59.156.77	IPv4	Tor Proxy
146.66.180.176	IPv4	Tor Proxy
148.251.177.144	IPv4	Tor Proxy
157.230.27.96	IPv4	Tor Proxy
157.230.98.211	IPv4	Tor Proxy
157.230.98.77	IPv4	Tor Proxy
158.174.108.130	IPv4	Tor Proxy
158.247.211.132	IPv4	Tor Proxy
159.65.69.186	IPv4	Tor Proxy
159.69.203.65	IPv4	Tor Proxy
159.89.19.9	IPv4	Tor Proxy
161.35.84.202	IPv4	Tor Proxy
165.22.194.250	IPv4	Tor Proxy
165.22.94.245	IPv4	Tor Proxy
167.172.123.221	IPv4	Tor Proxy
167.172.173.3	IPv4	Tor Proxy
167.172.177.33	IPv4	Tor Proxy
167.172.178.215	IPv4	Tor Proxy
167.172.179.199	IPv4	Tor Proxy
167.172.180.219	IPv4	Tor Proxy
167.172.190.42	IPv4	Tor Proxy
167.233.6.47	IPv4	Tor Proxy
167.71.236.109	IPv4	Tor Proxy
168.119.37.152	IPv4	Tor Proxy
168.119.61.251	IPv4	Tor Proxy
172.104.240.74	IPv4	Tor Proxy
172.104.4.144	IPv4	Tor Proxy
176.37.245.132	IPv4	Tor Proxy
178.62.215.4	IPv4	Tor Proxy
185.105.237.253	IPv4	Tor Proxy
185.106.121.176	IPv4	Tor Proxy
185.106.122.10	IPv4	Tor Proxy
185.128.139.56	IPv4	Tor Proxy
185.18.215.170	IPv4	Tor Proxy
185.18.215.178	IPv4	Tor Proxy
185.180.223.198	IPv4	Tor Proxy
185.212.128.115	IPv4	Tor Proxy
185.217.1.30	IPv4	Tor Proxy
188.127.231.152	IPv4	Tor Proxy
188.165.233.121	IPv4	Tor Proxy
188.166.17.35	IPv4	Tor Proxy
188.166.34.137	IPv4	Tor Proxy
188.166.79.209	IPv4	Tor Proxy
188.166.80.74	IPv4	Tor Proxy
188.227.224.110	IPv4	Tor Proxy
192.46.209.98	IPv4	Tor Proxy
192.99.169.229	IPv4	Tor Proxy
193.123.35.48	IPv4	Tor Proxy
193.187.173.33	IPv4	Tor Proxy
195.123.222.9	IPv4	Tor Proxy
195.93.173.53	IPv4	Tor Proxy
197.156.89.19	IPv4	Tor Proxy
198.27.82.186	IPv4	Tor Proxy
198.74.54.182	IPv4	Tor Proxy
199.247.4.110	IPv4	Tor Proxy
20.52.130.140	IPv4	Tor Proxy
20.52.147.137	IPv4	Tor Proxy
20.52.37.89	IPv4	Tor Proxy
201.40.122.152	IPv4	Tor Proxy
206.81.17.232	IPv4	Tor Proxy
206.81.27.29	IPv4	Tor Proxy
212.71.253.168	IPv4	Tor Proxy
212.8.244.112	IPv4	Tor Proxy
217.12.201.190	IPv4	Tor Proxy
217.144.173.78	IPv4	Tor Proxy
217.170.127.226	IPv4	Tor Proxy
217.61.98.33	IPv4	Tor Proxy
37.200.66.166	IPv4	Tor Proxy
45.33.45.209	IPv4	Tor Proxy
45.33.79.19	IPv4	Tor Proxy
45.33.82.126	IPv4	Tor Proxy
45.79.207.110	IPv4	Tor Proxy
45.81.225.67	IPv4	Tor Proxy
45.81.226.8	IPv4	Tor Proxy
45.92.94.83	IPv4	Tor Proxy
46.101.156.38	IPv4	Tor Proxy
46.101.159.138	IPv4	Tor Proxy
47.90.1.153	IPv4	Tor Proxy
49.147.80.102	IPv4	Tor Proxy
5.100.80.141	IPv4	Tor Proxy
5.63.13.54	IPv4	Tor Proxy
50.116.61.125	IPv4	Tor Proxy
51.11.240.222	IPv4	Tor Proxy
51.116.185.181	IPv4	Tor Proxy
51.195.201.47	IPv4	Tor Proxy
51.195.201.50	IPv4	Tor Proxy
51.68.191.153	IPv4	Tor Proxy
51.75.161.21	IPv4	Tor Proxy
51.83.185.71	IPv4	Tor Proxy
51.83.186.137	IPv4	Tor Proxy
51.89.165.233	IPv4	Tor Proxy
67.205.130.65	IPv4	Tor Proxy
68.183.67.182	IPv4	Tor Proxy
68.183.82.50	IPv4	Tor Proxy
79.124.62.26	IPv4	Tor Proxy
8.210.163.246	IPv4	Tor Proxy
80.251.220.190	IPv4	Tor Proxy
87.236.215.248	IPv4	Tor Proxy
88.198.167.20	IPv4	Tor Proxy
94.23.40.220	IPv4	Tor Proxy
95.179.163.1	IPv4	Tor Proxy
95.179.164.28	IPv4	Tor Proxy
95.188.93.135	IPv4	Tor Proxy
95.216.123.39	IPv4	Tor Proxy
95.216.137.149	IPv4	Tor Proxy
95.217.27.5	IPv4	Tor Proxy

Table of contents

Next post

ThreatSTOP Managed Rules Now Available for AWS WAF

ThreatSTOP Managed Rules Now Available for AWS WAF Read Now

Related Articles

April 19, 2023

North Korean Cyber Threats: A Deeper Dive

North Korean Cyber Threats: A Deeper Dive Read Now

May 21, 2021

PROTECTIVE DNS SECURITY or PDNS: What You Need to Know

PROTECTIVE DNS SECURITY or PDNS: What You Need to Know Read Now

March 8, 2021

Mitigating The MS Exchange 0-day attacks

Mitigating The MS Exchange 0-day attacks Read Now

Subscribe to the ThreatSTOP blog

★★★★★

Implementing this system has helped to decrease the number of total attacks against our customers by about 40 percent.

Chris Drake - Founder/CTO, FireHost

Solutions
Products
Resources
Company
Blog
ToS
Privacy Policy