Key Takeaways

• Gayfemboy is a robust DDoS botnet that emerged in February 2024, evolving beyond typical Mirai variants.
• It exploits both 0-day and N-day vulnerabilities, targeting a wide range of devices, including routers from ASUS and Four-Faith.
• With over 15,000 active nodes, Gayfemboy is capable of launching powerful DDoS attacks against numerous industries globally.

Emergence and Evolution

Gayfemboy, a newly identified botnet, was first recognized by QiAnXin’s XLab in February 2024. Initially appearing as just another variant of Mirai, it quickly surprised researchers with its persistent evolution and aggressive capabilities. Unlike earlier Mirai clones, which often dissipate quickly, Gayfemboy has established itself as a significant DDoS threat.

In its early stages, Gayfemboy’s code was typical of the breed, featuring an unremarkable UPX shell. However, it rapidly adapted and innovated, enhancing its structure. By April 2024, modifications to its shell, including a new magic number and a custom registration packet, indicated a shift towards becoming a more sophisticated entity. By mid-June, it had stabilized, making only minor updates to its command-and-control (C2) infrastructure.

The turning point for Gayfemboy came in November 2024, when it exploited a critical 0-day vulnerability (CVE-2024-12856) in Four-Faith routers, alongside other unpublicized vulnerabilities affecting Neterbit routers and Vimar smart home devices. This advancement allowed it to significantly broaden its infection capabilities.

Operational Dynamics

Researchers noted Gayfemboy’s operational sophistication during an analysis where they registered unused C2 domains. In response, the botnet’s operators executed retaliatory DDoS attacks against the new domains, showcasing its advanced tactics. XLab determined that Gayfemboy commands over 15,000 active nodes, organized into more than 40 distinct groups to maintain control over the botnet’s vast network.

Gayfemboy employs a diverse strategy by leveraging over 20 different vulnerabilities along with weak Telnet credentials to breach devices. This mix includes N-day vulnerabilities targeting devices like ASUS routers and newer exploits against Four-Faith routers. While primarily active in countries like China, the US, Iran, Russia, and Turkey, its reach is global.

Threat Level and Capabilities

The botnet has morphed into a persistent DDoS threat since its inception, concentrating on intermittent but high-impact attacks on various targets. Analysts observed a notable increase in activity across several sectors, particularly affecting telecom and government organizations in countries such as China, the US, Germany, the UK, and Singapore.

After researchers employed a virtual private server (VPS) to observe Gayfemboy’s behavior, the botnet initiated DDoS attacks on the VPS, resulting in periods of inaccessibility. The attacks demonstrated substantial firepower, with traffic spikes estimated at 100GB, exemplifying the botnet’s ability to deliver substantial attack volumes.

Despite its capabilities, remnants of Gayfemboy’s Mirai lineage are evident in its code, retaining similar command structures but eliminating certain identifying elements. Operators can effectively manage botnet tasks, such as scaling attacks or updating the bot itself, employing a command that repeatedly states “we gone now.”

A unique feature includes a self-hiding mechanism where the bot checks for writable directories and obscures its presence in the file system, enhancing its stealth during operations.

Gayfemboy signifies a leap in botnet evolution, efficiently adapting by integrating new vulnerabilities and strategic attack methodologies. As such, it showcases the potential dangers posed by modern distributed attacks and underscores the necessity for heightened security protocols among vulnerable devices across industries.

The content above is a summary. For more details, see the source article.