<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=439793516377641&amp;ev=PageView&amp;noscript=1">

New Gafgyt Botnet TOR Variant Targets D-Link and IoT Devices

ddos

The Gafgyt IoT botnet has been around for 7 years already, boasting many different variants over time. Also known as BASHLITE, this botnet has become notorious for launching DDoS attacks, making it almost as well-known as famous botnets such as Mirai in recent years. In 2018, two Gafgyt variants were detected, targeting Apache Struts and SonicWall vulnerabilities. Over the next year, Gafgyt started targeting vulnerable internet of things devices, wreaking havoc on gaming servers all over the world.

Recently, a new variant dubbed Gafgyt_tor by researchers was discovered. Although its main purpose is still DDoS, this new version has upped its evasion tactics, and is the first variant to use the Tor network to conceal its malicious activity. Weak Telnet passwords allow the cyber attackers behind the botnet to deploy their infections. This type of password exploitation is a widely known issue on IoT devices. In addition, the hackers exploit three vulnerabilities to deploy their attacks:

  1. A remote code execution vulnerability in D-Link devices - CVE-2019-16920
  2. A Lifespray enterprise portal software remote code execution vulnerability (no CVE available)
  3. A vulnerability in Citrix Application Delivery Controller - CVE-2019-19781

The new variant’s main function, establishing a Tor connection, has replated the original initConnection() function which was used to establish communication with the botnet’s C2 servers. This way, Gafgyt_tor can hide its activity when it calls home. The new botnet variants is suspected to be built by the same threat actor that has been distributing previous variants, dubbed Freak threat actor or keksec group.

 

These are some of the indicators of compromise we have seen for this new botnet variant:

Indicator Type Details
wvp3te7pkfczmnnl.onion Domain C2 Server
45.145.185.83 IPv4 Download
45.153.203.124 IPv4 Download
91.236.251.131 IPv4 Tor Proxy
66.42.34.110 IPv4 Tor Proxy
52.47.87.178 IPv4 Tor Proxy
5.167.53.191 IPv4 Tor Proxy
35.192.111.58 IPv4 Tor Proxy
35.189.88.51 IPv4 Tor Proxy
34.239.11.167 IPv4 Tor Proxy
3.91.139.103 IPv4 Tor Proxy
188.68.52.220 IPv4 Tor Proxy
188.166.82.232 IPv4 Tor Proxy
18.229.49.115 IPv4 Tor Proxy
18.191.18.101 IPv4 Tor Proxy
130.193.56.117 IPv4 Tor Proxy
107.20.204.32 IPv4 Tor Proxy
104.155.207.91 IPv4 Tor Proxy
103.125.218.111 IPv4 Tor Proxy
103.82.219.42 IPv4 Tor Proxy
104.224.179.229 IPv4 Tor Proxy
111.90.159.138 IPv4 Tor Proxy
116.202.107.151 IPv4 Tor Proxy
116.203.210.124 IPv4 Tor Proxy
119.28.149.37 IPv4 Tor Proxy
128.199.45.26 IPv4 Tor Proxy
134.122.4.130 IPv4 Tor Proxy
134.122.59.236 IPv4 Tor Proxy
134.209.230.13 IPv4 Tor Proxy
134.209.249.97 IPv4 Tor Proxy
135.181.137.237 IPv4 Tor Proxy
138.68.6.227 IPv4 Tor Proxy
139.162.149.58 IPv4 Tor Proxy
139.162.32.82 IPv4 Tor Proxy
139.162.42.124 IPv4 Tor Proxy
139.99.239.154 IPv4 Tor Proxy
142.47.219.133 IPv4 Tor Proxy
143.110.230.187 IPv4 Tor Proxy
145.239.83.129 IPv4 Tor Proxy
146.59.156.72 IPv4 Tor Proxy
146.59.156.76 IPv4 Tor Proxy
146.59.156.77 IPv4 Tor Proxy
146.66.180.176 IPv4 Tor Proxy
148.251.177.144 IPv4 Tor Proxy
157.230.27.96 IPv4 Tor Proxy
157.230.98.211 IPv4 Tor Proxy
157.230.98.77 IPv4 Tor Proxy
158.174.108.130 IPv4 Tor Proxy
158.247.211.132 IPv4 Tor Proxy
159.65.69.186 IPv4 Tor Proxy
159.69.203.65 IPv4 Tor Proxy
159.89.19.9 IPv4 Tor Proxy
161.35.84.202 IPv4 Tor Proxy
165.22.194.250 IPv4 Tor Proxy
165.22.94.245 IPv4 Tor Proxy
167.172.123.221 IPv4 Tor Proxy
167.172.173.3 IPv4 Tor Proxy
167.172.177.33 IPv4 Tor Proxy
167.172.178.215 IPv4 Tor Proxy
167.172.179.199 IPv4 Tor Proxy
167.172.180.219 IPv4 Tor Proxy
167.172.190.42 IPv4 Tor Proxy
167.233.6.47 IPv4 Tor Proxy
167.71.236.109 IPv4 Tor Proxy
168.119.37.152 IPv4 Tor Proxy
168.119.61.251 IPv4 Tor Proxy
172.104.240.74 IPv4 Tor Proxy
172.104.4.144 IPv4 Tor Proxy
176.37.245.132 IPv4 Tor Proxy
178.62.215.4 IPv4 Tor Proxy
185.105.237.253 IPv4 Tor Proxy
185.106.121.176 IPv4 Tor Proxy
185.106.122.10 IPv4 Tor Proxy
185.128.139.56 IPv4 Tor Proxy
185.18.215.170 IPv4 Tor Proxy
185.18.215.178 IPv4 Tor Proxy
185.180.223.198 IPv4 Tor Proxy
185.212.128.115 IPv4 Tor Proxy
185.217.1.30 IPv4 Tor Proxy
188.127.231.152 IPv4 Tor Proxy
188.165.233.121 IPv4 Tor Proxy
188.166.17.35 IPv4 Tor Proxy
188.166.34.137 IPv4 Tor Proxy
188.166.79.209 IPv4 Tor Proxy
188.166.80.74 IPv4 Tor Proxy
188.227.224.110 IPv4 Tor Proxy
192.46.209.98 IPv4 Tor Proxy
192.99.169.229 IPv4 Tor Proxy
193.123.35.48 IPv4 Tor Proxy
193.187.173.33 IPv4 Tor Proxy
195.123.222.9 IPv4 Tor Proxy
195.93.173.53 IPv4 Tor Proxy
197.156.89.19 IPv4 Tor Proxy
198.27.82.186 IPv4 Tor Proxy
198.74.54.182 IPv4 Tor Proxy
199.247.4.110 IPv4 Tor Proxy
20.52.130.140 IPv4 Tor Proxy
20.52.147.137 IPv4 Tor Proxy
20.52.37.89 IPv4 Tor Proxy
201.40.122.152 IPv4 Tor Proxy
206.81.17.232 IPv4 Tor Proxy
206.81.27.29 IPv4 Tor Proxy
212.71.253.168 IPv4 Tor Proxy
212.8.244.112 IPv4 Tor Proxy
217.12.201.190 IPv4 Tor Proxy
217.144.173.78 IPv4 Tor Proxy
217.170.127.226 IPv4 Tor Proxy
217.61.98.33 IPv4 Tor Proxy
37.200.66.166 IPv4 Tor Proxy
45.33.45.209 IPv4 Tor Proxy
45.33.79.19 IPv4 Tor Proxy
45.33.82.126 IPv4 Tor Proxy
45.79.207.110 IPv4 Tor Proxy
45.81.225.67 IPv4 Tor Proxy
45.81.226.8 IPv4 Tor Proxy
45.92.94.83 IPv4 Tor Proxy
46.101.156.38 IPv4 Tor Proxy
46.101.159.138 IPv4 Tor Proxy
47.90.1.153 IPv4 Tor Proxy
49.147.80.102 IPv4 Tor Proxy
5.100.80.141 IPv4 Tor Proxy
5.63.13.54 IPv4 Tor Proxy
50.116.61.125 IPv4 Tor Proxy
51.11.240.222 IPv4 Tor Proxy
51.116.185.181 IPv4 Tor Proxy
51.195.201.47 IPv4 Tor Proxy
51.195.201.50 IPv4 Tor Proxy
51.68.191.153 IPv4 Tor Proxy
51.75.161.21 IPv4 Tor Proxy
51.83.185.71 IPv4 Tor Proxy
51.83.186.137 IPv4 Tor Proxy
51.89.165.233 IPv4 Tor Proxy
67.205.130.65 IPv4 Tor Proxy
68.183.67.182 IPv4 Tor Proxy
68.183.82.50 IPv4 Tor Proxy
79.124.62.26 IPv4 Tor Proxy
8.210.163.246 IPv4 Tor Proxy
80.251.220.190 IPv4 Tor Proxy
87.236.215.248 IPv4 Tor Proxy
88.198.167.20 IPv4 Tor Proxy
94.23.40.220 IPv4 Tor Proxy
95.179.163.1 IPv4 Tor Proxy
95.179.164.28 IPv4 Tor Proxy
95.188.93.135 IPv4 Tor Proxy
95.216.123.39 IPv4 Tor Proxy
95.216.137.149 IPv4 Tor Proxy
95.217.27.5 IPv4 Tor Proxy

 

ThreatSTOP customers are protected from threats like Gafgyt botnet through blocking the IP addresses for the C2 servers, and/or blocking the domains being used, which may be newly registered or observed.

 

Ready to try ThreatSTOP in your network? Want an expert-led demo and info about how it protects your network from botnets, DDoS attacks and other malware? We're here to help! Let's get started today.

Try ThreatSTOP            Get a Demo

Share this:

ARCHIVES

see all

OTHER THREATSTOP OUTLETS

  1. ThreatSTOP on YouTube
  2. ThreatSTOP on Twitter