Gafgyt Variant

Malware updated 5 months ago (2024-05-05T10:17:45.857Z)

Download STIX

Preview STIX

The Gafgyt variant is a malicious software that poses a significant threat to computer systems and devices. This malware can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or even hold data hostage for ransom. Zyxel, a network device manufacturer, addressed a vulnerability exploited by this malware in 2017 with the release of new firmware. However, in 2019, the vendor warned that a Gafgyt variant was still exploiting the flaw. Recent observations have highlighted multiple attacks focusing on this year-old vulnerability, with botnets like Moobot, Miroi, the Golang-based agent "AGoent," and the Gafgyt Variant being used. Threat actors are taking advantage of unpatched devices to dispatch these various botnets, which can compromise the devices for Distributed Denial of Service (DDoS) attacks and further nefarious activities. A particularly concerning aspect of this situation is the Gafgyt variant's ability to exploit the TP-Link flaw by downloading and executing a script file, then retrieving Linux architecture execution files with the prefix filename "rebirth." Fortinet Labs' Threat Research team has noted multiple attacks over the past month focused on exploiting the said vulnerability, including those from botnets Moobot, Miori, the Golang-based agent "AGoent," a Gafgyt variant, and an unnamed variant of the infamous Mirai botnet. These findings underscore the ongoing risk posed by this malware and the need for users to ensure their devices are regularly updated and patched to protect against such threats.

Description last updated: 2024-05-05T10:15:05.451Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Agoent is a possible alias for Gafgyt Variant. AGoent is a sophisticated malware, a malicious software designed to exploit and damage computer systems. This Golang-based agent bot has been observed in multiple attacks, exploiting a year-old vulnerability to launch various nefarious activities. It operates by fetching the script file "exec.sh" fr	3
Mirai Botnet is a possible alias for Gafgyt Variant. The Mirai botnet, a type of malware, is known for its ability to exploit vulnerabilities in various devices and systems. Mirai operates by infecting systems without the user's knowledge, often through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Botnet

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Gafgyt Malware is associated with Gafgyt Variant. Gafgyt, also known as Bashlite, is a type of malware that targets Linux architecture operating systems with the primary intent to launch distributed denial of service (DDoS) attacks. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, and upon entry,	Unspecified	3
The Moobot Malware is associated with Gafgyt Variant. Moobot is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate these systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat	is related to	2
The Mirai Malware is associated with Gafgyt Variant. Mirai is a type of malware that specifically targets Internet of Things (IoT) devices to create a botnet, which can then be used for various malicious activities. The Mirai botnet had a significant impact in early 2022, accounting for over 7 million botnet detections globally. However, there was a 9	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-1389 Vulnerability is associated with Gafgyt Variant. CVE-2023-1389 is a command injection vulnerability discovered in TP-Link Archer AX21 routers. This flaw in software design or implementation was publicly released in March of the year 2023 and has since been exploited by various malicious actors. Attack traffic through the vulnerable routers has bee	Unspecified	2

Source Document References

Information about the Gafgyt Variant Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	6 months ago	Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks
Fortinet	6 months ago	Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread \| FortiGuard Labs
Securityaffairs	a year ago	Gafgyt botnet is targeting EoL Zyxel routers
BankInfoSecurity	6 months ago	Exploited TP-Link Vulnerability Spawns Botnet Threats