Researchers have uncovered a sophisticated botnet, dubbed “Gayfemboy,” which has been exploiting 0-day vulnerabilities in industrial routers.
First identified in February 2024 by cybersecurity experts at XLab, this botnet has demonstrated exceptional resilience and advanced capabilities, distinguishing itself from the typically short-lived botnets derived from Mirai’s source code.
In a detailed report, Gayfemboy is described as a heavily modified and highly effective botnet that has evolved far beyond its Mirai roots.
- Improved stealth mechanisms: The botnet hides its malicious processes by mounting writable directories and bypassing system defenses.
- Encrypted functions and commands: Surprisingly, plaintext strings remain present in some areas, which is atypical for a botnet of this scale.
- Enhanced commands: New commands allow for advanced functionalities, such as self-updating, targeted DDoS attacks, and scanning for vulnerable devices.
Its advanced exploitation of vulnerabilities, including the use of previously unknown (0-day) exploits, has made it one of the most significant threats in recent years.
In early 2024, XLab detected a nascent botnet based on a repackaged Mirai variant. By mid-year, its developers began using UPX polymorphic packing and unique code modifications to evade detection.
In November, the botnet, dubbed “Gayfemboy,” integrated a 0-day vulnerability (CVE-2024-12856) in Four-Faith industrial routers, vastly expanding its reach to industrial and smart home devices.
XLab researchers registered several C2 domains to track its activity, prompting retaliatory DDoS attacks. By December, VulnCheck publicly disclosed the router vulnerability, shedding light on the botnet’s growing threat.
Gayfemboy has grown into a large-scale botnet with over 15,000 active infected nodes operating daily.
The infected devices span a wide array of regions, including China, the United States, Iran, Russia, and Turkey.
Its infection ecosystem is diverse, targeting routers, DVRs, and smart home devices through both known and unknown vulnerabilities.
Gayfemboy Botnet Exploration Technique
The botnet’s infection strategy includes leveraging more than 20 vulnerabilities and weak Telnet credentials.
The botnet exploits multiple vulnerabilities to propagate, including the Four-Faith industrial router 0-day (CVE-2024-12856), alongside known exploits like CVE-2014-8361, CVE-2017-17215, and CVE-2020-9054.
Additionally, undisclosed vulnerabilities in Neterbit routers and Vimar smart home devices have been weaponized to expand its reach.
Infected devices are organized by type for streamlined attacker management.
For example, Four-Faith routers are exploited via the “faith2” 0-day vulnerability, ASUS routers through N-day vulnerabilities, and Kguard and Vimar devices via unidentified methods.
Infected Devices
When devices connect to Gayfemboy’s command-and-control (C2) servers, they transmit grouping information, including operating system type, infection method, and device details. This information allows attackers to efficiently manage the botnet. Key infection statistics reveal:
| Group | Bot IP Count | Method of Infection | Affected Device |
|---|---|---|---|
| adtran | 2,707 | Unknown | Unknown |
| asus | 2,080 | N-day vulnerabilities | ASUS Routers |
| bdvr7 | 1,461 | N-day vulnerabilities | Kguard DVR |
| peeplink | 1,422 | Unknown | Neterbit, LTE, CPE, NR5G Routers |
| faith2 | 590 | 0-day (CVE-2024-12856) | Four-Faith Industrial Routers |
| vimar7 | 442 | Unknown | Vimar Smart Home Devices |
DDoS Analysis: Attack Patterns and Campabilities
Since February 2024, the botnet has launched intermittent attacks with peak activity in October and November.
The attack targets span a wide range of industries, demonstrating the botnet’s global threat.
Researchers registered several Gayfemboy C2 domains to monitor its activity. In response, the botnet launched repeated DDoS attacks against these domains.
The cloud provider hosting the researchers’ VPS responded by blackholing traffic for over 24 hours after detecting the attacks. Due to the lack of DDoS protection, the researchers ceased domain resolution activities.
The botnet has launched numerous attacks globally, targeting industries and organizations in regions such as China, the United States, Germany, and Singapore.
The frequency of attacks peaked in late 2024, with October and November seeing an especially high volume of activity.
The botnet’s DDoS capabilities are noteworthy. Observers have monitored attacks generating traffic up to 100 GB in volume.
These attacks typically last 10–30 seconds but are potent enough to disrupt services and force blackhole routing of targeted servers.
When a sample of Gayfemboy runs, it outputs the text “we gone now\n,” a signature feature that has persisted since its discovery.
Defense Recommendations
Given Gayfemboy’s capabilities, organizations must adopt robust cybersecurity measures against botnet threats. Recommendations include:
- Patch management: Ensure all devices, particularly industrial and smart home routers, apply the latest firmware updates to mitigate known vulnerabilities.
- Network segmentation: Isolate critical systems from vulnerable devices that could be exploited by botnets.
- DDoS protection: Employ anti-DDoS solutions capable of mitigating high-volume traffic attacks.
- Regular threat assessment: Conduct audits to detect unusual activity in network traffic caused by infected devices.
The Gayfemboy botnet underscores the evolving threat posed by modern botnet operators. From its humble beginnings as a Mirai offshoot to its current role as a sophisticated, large-scale botnet, Gayfemboy is a vivid example of how attackers continuously innovate to exploit new vulnerabilities and evade detection.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free
The post Mirai Botnet Exploiting Routers 0-Day Vulnerabilities to Launch DDoS Attack appeared first on Cyber Security News.