ELF/Gafgyt.A!tr
Analysis
ELF/Gafgyt.A!tr is a piece of malware targetting embedded devices such as routers, IP Cameras etc.
There are variants for different kinds of processors such as ARM, Intel 80386, MC68000, MIPS R3000, PowerPC, Sparc, Advanced Micro Devices X86-64 or Renesas / SuperH SH.
It has been seen distributed by exploiting the Shellshock vulnerability in the past.
When executed, the malicious executable opens a connection with a C&C address present hardcoded within it.
In some cases, after the connection is established the bot sends a message to the C&C specifying the build based on the presence of macros like MIPS_BUILD, MIPSEL_BUILD, X86_BUILD, ARM_BUILD or PPC_BUILD.
The message in the format
BUILD undefinedswhere undefineds can be MIPS, MIPSEL, X86, ARM, POWERPC or UNKNOWN
Several variants of the malware have been found having different combinations of the capabilities mentioned below.
Depending upon the commands received from the C&C, the malware can perform the following functions :
Command Received | Resulting action |
PING | Respond with a message PONG on the connection already open with the C&C |
GETLOCALIP | Sends a message to the C&C with the message "My IP: X.X.X.X" where X.X.X.X corresponds to the infected host's IP address (obtained by reading the output of the route command) |
TELNETSCAN or SCANNER |
|
HOLD [IP] [PORT] [TIME] | A connection is opened with an IP address and PORT specified in the command. It is sustained for a duration of TIME also specified in the command |
JUNK [IP] [PORT] [TIME] | The same function as above is carried out, with the difference that a randomly generated string is sent the destination IP Address |
UDP [IP] [PORT] [TIME] [SPOOFIT] [SIZE] [INTERVAL] |
|
TCP [IP] [PORT] [TIME] [SPOOFIT] [FLAGS] [SIZE] [INTERVAL] | This command enables the same functionality as above, but for sending TCP packets. It uses an additional parameter FLAGS that allows the C&C to specify the kind of packets sent out as part of the TCP Flood (e.g. "all", syn", "rst", "fin", "ack", "psh") |
KILLALL or KILLATTK | Kills all currently running processes forked from the original bot process |
LOLNOGTFO or I95O752W3X or DUP | Exits the bot process |
EMAIL [TARGET] [HOST] [SUB] [MSG] | Enables the bot to connect to HOST at Port 25 and send an email to TARGET from an email id 'rastrent.com'. As the names suggest, SUB and MSG provide and the Subject and Body of the email sent. |
DNS |
TelnetScanner : This is the part of the bot that is responsible for propagation of the malware. It performs the following functions
- Generates a random Public IP, say W.X.Y.Z with the following conditions :
W - !(0, 10, 100, 127, 169, 172, 192, 198, 203, 223)
X - above 31 and !(0, 51, 19, 18, 168, 88)
Y - !(2, 99, 100, 113) - Tries to establish a connection with the above IP address at port 23
- If the connection is established, it reads the response from the server upto the string "ogin:" (probably to match both Login and login) assuming the server expects the client to enter a username beyond this point.
- It sends one by one strings from an array of usernames e.g. {"root", "", "admin", "user", "login", "guest"} followed by a newline character. If the server responds, it continues onto the next step.
- If the server response contains the string "ncorrect", the bot tries the next username. Else it looks for the string "assword:" and proceeds to the next step.
- The bot then tries a number of passwords from an array e.g. {"root", "", "toor", "admin", "user", "guest", "login", "changeme", "1234", "12345", "123456", "default", "pass", "password"} by sending them as a response to the telnet server
- If the server responds with a string that is other than "ncorrect", the bot looks for either of the following strings in the response {":",">","undefined","$","#"} implying the presence of a prompt. If the response contains "ncorrect", the next password in the array is tried.
- Next, it checks for the presence of busybox on the device by sending the command "/bin/busybox;echo -e '\\147\\141\\171\\146\\147\\164'\r\n" (note this is the octal form of 'gayfgt')
- If the response from the server includes 'gayfgt' (indicating the presence of a busybox binary on it), a report is sent to the C&C. The format is
REPORT [IP]:[Username]
if only the username is required to authenticate with the Telnet Server ORREPORT [IP]:[Username]:[Password]
where both Username and Password are required. IP corresponds to the randomly generated IP address where a telnet server with busybox was found. - Next, a shell is launched by sending the instructions 'sh' or '/bin/busybox;shell'
- This is followed by an instruction to download and launch a shell script on the randomly generated IP. After this script is launched, it is deleted.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |