Gafgyt Malware Broadens Its Scope in Recent Attacks

    Thursday, December 5, 2024 In: Threat Research Print

    Date: 12/05/2024

    Severity: High

    Summary

    The Gafgyt malware (also known as Bashlite or Lizkebab) has recently been observed targeting publicly exposed Docker Remote API servers. Traditionally focused on IoT devices, Gafgyt is now expanding its scope. Attackers exploit misconfigured Docker APIs to deploy the malware by creating containers using legitimate "alpine" Docker images. Once deployed, the malware enables attackers to infect victims and launch DDoS attacks against targeted servers.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    http://178.215.238.24/rbot

    http://178.215.238.31/cve.sh

    http://178.215.238.31/bins/atlas.arm4

    http://178.215.238.31/bins/atlas.arm5

    http://178.215.238.31/bins/atlas.arm6

    http://178.215.238.31/bins/atlas.arm7

    http://178.215.238.31/bins/atlas.i586

    http://178.215.238.31/bins/atlas.i686

    http://178.215.238.31/bins/atlas.m68k

    http://178.215.238.31/bins/atlas.mips

    http://178.215.238.31/bins/atlas.mipsel

    http://178.215.238.31/bins/atlas.sh4

    http://178.215.238.31/atlas.i586

    IP Address :

    178.215.238.24

    178.215.238.31

    Hash :

    b7f0ac1551ab58a1b84ba8e63dfc98dd126f7abe686137cbffc8ff95bfbac1ba

6b385dc32daff689c1c448bf5f9151996abbac730e167a9cbfa9111591f253ea       

ed6c93faebd9a60e132f4f952a1b516e758ce0e445b225eb702dfd2c8c2db6c0       

19778568781fd397ee2415d0a3593ffcaff4f333cdc27e52a1b23e07de08fdb6        

f8388cba15175fa7fda8daacfd095972e1a96faaabeede411f99f42f71ae395b         

0b7e14e3305fd25b250ad494c014b0f8dfefaf0f3e8413bd797db12dd2eb9d8c       

f7004355f2bf653d3f055bc674822f99a8ff3692a02c1aec6b727a782e37b836       

a79a9653209c9d942dee0be597e04845fc5250880edcc5c3cb50110153925a03    

156c85a09a1d5d753ce3fd128e0bb6097bb5b18e6cc0ffe6f9bc99a218a21ed9      

68c215494fd35e097bf76eb3886b95ec66fdc707ebcf10f221b4db4ac2cd6d70      

bb2bd8819045055af5295c23d1293b2d215fabe7dcf097813b9624ab98a13976    

c1c03eab6bbca461f4a9dc7395103cdb0aa018563e835150c66228f3d7edadaa      

36ee47d10acbf8fbc7b16d4d237e2be567491b95dcd333856268c6c63a02f358

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    userdomainname like "http://178.215.238.24/rbot" or url like "http://178.215.238.24/rbot" or userdomainname like "http://178.215.238.31/bins/atlas.arm4" or url like "http://178.215.238.31/bins/atlas.arm4" or userdomainname like "http://178.215.238.31/bins/atlas.arm5" or url like "http://178.215.238.31/bins/atlas.arm5" or userdomainname like "http://178.215.238.31/bins/atlas.arm6" or url like "http://178.215.238.31/bins/atlas.arm6" or userdomainname like "http://178.215.238.31/bins/atlas.arm7" or url like "http://178.215.238.31/bins/atlas.arm7" or userdomainname like "http://178.215.238.31/bins/atlas.i586" or url like "http://178.215.238.31/bins/atlas.i586" or userdomainname like "http://178.215.238.31/bins/atlas.m68k" or url like "http://178.215.238.31/bins/atlas.m68k" or userdomainname like "http://178.215.238.31/bins/atlas.mips" or url like "http://178.215.238.31/bins/atlas.mips" or userdomainname like "http://178.215.238.31/bins/atlas.mipsel" or url like "http://178.215.238.31/bins/atlas.mipsel" or userdomainname like "http://178.215.238.31/bins/atlas.sh4" or url like "http://178.215.238.31/bins/atlas.sh4" or userdomainname like "http://178.215.238.31/atlas.i586" or url like "http://178.215.238.31/atlas.i586" or userdomainname like "http://178.215.238.31/cve.sh" or url like "http://178.215.238.31/cve.sh"

    IP Address :

    dstipaddress IN ("178.215.238.31","178.215.238.24") or ipaddress IN ("178.215.238.31","178.215.238.24") or publicipaddress IN ("178.215.238.31","178.215.238.24") or srcipaddress IN ("178.215.238.31","178.215.238.24")

    Hash :

    sha256hash IN ("0b7e14e3305fd25b250ad494c014b0f8dfefaf0f3e8413bd797db12dd2eb9d8c","ed6c93faebd9a60e132f4f952a1b516e758ce0e445b225eb702dfd2c8c2db6c0","bb2bd8819045055af5295c23d1293b2d215fabe7dcf097813b9624ab98a13976","19778568781fd397ee2415d0a3593ffcaff4f333cdc27e52a1b23e07de08fdb6","36ee47d10acbf8fbc7b16d4d237e2be567491b95dcd333856268c6c63a02f358","c1c03eab6bbca461f4a9dc7395103cdb0aa018563e835150c66228f3d7edadaa","f8388cba15175fa7fda8daacfd095972e1a96faaabeede411f99f42f71ae395b","f7004355f2bf653d3f055bc674822f99a8ff3692a02c1aec6b727a782e37b836","b7f0ac1551ab58a1b84ba8e63dfc98dd126f7abe686137cbffc8ff95bfbac1ba","a79a9653209c9d942dee0be597e04845fc5250880edcc5c3cb50110153925a03","6b385dc32daff689c1c448bf5f9151996abbac730e167a9cbfa9111591f253ea","156c85a09a1d5d753ce3fd128e0bb6097bb5b18e6cc0ffe6f9bc99a218a21ed9","68c215494fd35e097bf76eb3886b95ec66fdc707ebcf10f221b4db4ac2cd6d70")

    Reference:  

    https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html


    Tags

    MalwareGafgytBashliteLizkebab

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.