National Cyber Warfare Foundation (NCWF)

Gayfemboy Botnet targets Four-Faith router vulnerability


0 user ratings
2025-01-08 19:42:37
milo
Blue Team (CND) , Attacks
Gayfemboy, a Mirai botnet variant, has been exploiting a flaw in Four-Faith industrial routers to launch DDoS attacks since November 2024. The Gayfemboy botnet was first identified in February 2024, it borrows the code from the basic Mirai variant and now integrates N-day and 0-day exploits. By November 2024, Gayfemboy exploited 0-day vulnerabilities in Four-Faith […


Gayfemboy, a Mirai botnet variant, has been exploiting a flaw in Four-Faith industrial routers to launch DDoS attacks since November 2024.





The Gayfemboy botnet was first identified in February 2024, it borrows the code from the basic Mirai variant and now integrates N-day and 0-day exploits.





By November 2024, Gayfemboy exploited 0-day vulnerabilities in Four-Faith industrial routers and Neterbit routers and Vimar smart home devices, with over 15,000 daily active nodes. Operators behind the botnet also launched DDoS attacks against researchers tracking it.





QiAnXin XLab experts observed the Gayfemboy delivering its bot by exploiting more than 20 vulnerabilities, they also attempted to exploit Telnet weak credentials. The researchers discovered that attackers targeted the zero-day vulnerability CVE-2024-12856 in Four-Faith industrial routers along with several unknown vulnerabilities affecting Neterbit and Vimar devices.





Gayfemboy exploits various vulnerabilities, including CVE-2013-3307, CVE-2021-35394, CVE-2024-8957, and others in DVRs, routers, and security appliances.





Gayfemboy botnet



Most of the infections are in China, the United States, Iran, Russia, and Turkey.





“When Gayfemboy bots connect to the C2, they carry grouping information used to identify and organize infected devices, enabling attackers to efficiently manage and control the large botnet. This grouping information typically includes key identifiers, such as the device’s operating system type or other identifying details.” reads the report published by QiAnXin XLab. “Many attackers also prefer to use the infection method as an identifier. Gayfemboy’s grouping information is based on device details. The main infected devices are as follows:





GroupCount of Bot IPMethod of InfectionAffected Device
adtran2707UnknownUnknown
asus2080NDAYASUS Router
bdvr71461NDAYKguard DVR
peeplink1422UnknownNeterbit、LTE、CPE、NR5G Router
faith25900DAY(CVE-2024-12856)Four-Faith Industrial Router
vimar7442UnknownVimar Smart Home Device




The Gayfemboy botnet has been launching DDoS attacks against hundreds of global targets since February 2024, with activity peaking in October and November. Key targets include China, the U.S., Germany, and the U.K.





The botnet launched 10–30 second DDoS attacks on domains registered for analysis, targeting a VPS hosted by a cloud provider. Attacks triggered blackholing of VPS traffic for over 24 hours. With no DDoS protection, the team stopped resolving the domains. Traffic peaked at 100GB, per provider estimates.





The botnet is based on Mirai, the analysis of the code revealed it includes plaintext strings and a custom “gayfemboy” registration packet. The author added new commands and a PID-hiding function. Despite its evolution, its plaintext strings and unchanged output message, “we gone now
,”
highlight lax protection efforts.





“DDoS (Distributed Denial of Service) is a highly reusable and relatively low-cost cyberattack weapon. It can launch large-scale traffic attacks instantly using distributed botnets, malicious tools, or amplification techniques, depleting, disabling, or interrupting the target network’s resources. As a result, DDoS has become one of the most common and destructive forms of cyberattacks.” concludes the report that includes Indicators of Compromise (IoCs). “Its attack modes are diverse, attack paths are highly concealed, and it can employ continuously evolving strategies and techniques to conduct precise strikes against various industries and systems, posing a significant threat to enterprises, government organizations, and individual users.”





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





Pierluigi Paganini





(SecurityAffairs – hacking, botnet)







Source: SecurityAffairs
Source Link: https://securityaffairs.com/172805/malware/gayfemboy-mirai-botnet-four-faith-flaw.html


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)
Attacks



Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.