Pierluigi Paganini
January 08, 2025
The Gayfemboy botnet was first identified in February 2024, it borrows the code from the basic Mirai variant and now integrates N-day and 0-day exploits.
By November 2024, Gayfemboy exploited 0-day vulnerabilities in Four-Faith industrial routers and Neterbit routers and Vimar smart home devices, with over 15,000 daily active nodes. Operators behind the botnet also launched DDoS attacks against researchers tracking it.
QiAnXin XLab experts observed the Gayfemboy delivering its bot by exploiting more than 20 vulnerabilities, they also attempted to exploit Telnet weak credentials. The researchers discovered that attackers targeted the zero-day vulnerability CVE-2024-12856 in Four-Faith industrial routers along with several unknown vulnerabilities affecting Neterbit and Vimar devices.
Gayfemboy exploits various vulnerabilities, including CVE-2013-3307, CVE-2021-35394, CVE-2024-8957, and others in DVRs, routers, and security appliances.
Most of the infections are in China, the United States, Iran, Russia, and Turkey.
“When Gayfemboy bots connect to the C2, they carry grouping information used to identify and organize infected devices, enabling attackers to efficiently manage and control the large botnet. This grouping information typically includes key identifiers, such as the device’s operating system type or other identifying details.” reads the report published by QiAnXin XLab. “Many attackers also prefer to use the infection method as an identifier. Gayfemboy’s grouping information is based on device details. The main infected devices are as follows:
| Group | Count of Bot IP | Method of Infection | Affected Device |
|---|---|---|---|
| adtran | 2707 | Unknown | Unknown |
| asus | 2080 | NDAY | ASUS Router |
| bdvr7 | 1461 | NDAY | Kguard DVR |
| peeplink | 1422 | Unknown | Neterbit、LTE、CPE、NR5G Router |
| faith2 | 590 | 0DAY(CVE-2024-12856) | Four-Faith Industrial Router |
| vimar7 | 442 | Unknown | Vimar Smart Home Device |
The Gayfemboy botnet has been launching DDoS attacks against hundreds of global targets since February 2024, with activity peaking in October and November. Key targets include China, the U.S., Germany, and the U.K.
The botnet launched 10–30 second DDoS attacks on domains registered for analysis, targeting a VPS hosted by a cloud provider. Attacks triggered blackholing of VPS traffic for over 24 hours. With no DDoS protection, the team stopped resolving the domains. Traffic peaked at 100GB, per provider estimates.
The botnet is based on Mirai, the analysis of the code revealed it includes plaintext strings and a custom “gayfemboy” registration packet. The author added new commands and a PID-hiding function. Despite its evolution, its plaintext strings and unchanged output message, “we gone now\n,” highlight lax protection efforts.
“DDoS (Distributed Denial of Service) is a highly reusable and relatively low-cost cyberattack weapon. It can launch large-scale traffic attacks instantly using distributed botnets, malicious tools, or amplification techniques, depleting, disabling, or interrupting the target network’s resources. As a result, DDoS has become one of the most common and destructive forms of cyberattacks.” concludes the report that includes Indicators of Compromise (IoCs). “Its attack modes are diverse, attack paths are highly concealed, and it can employ continuously evolving strategies and techniques to conduct precise strikes against various industries and systems, posing a significant threat to enterprises, government organizations, and individual users.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
