Conclusion

This latest Gafgyt campaign shows that the malware is evolving and taking on techniques used by other malware authors. Those interested in building botnets don’t need to go far in order to find source code to create their own. Botnets for service are also common and easy to buy. They are advertised on a variety of platforms, including Instagram, and we recently wrote about the ease of compromising IoT devices, even for children.

Gafgyt, in particular, is a botnet that defenders should keep an eye on. Gafgyt’s campaigns are typically active for a long time, and it has continued to enhance its attack services and exploits for different devices. In order to stay in relevant in the IoT botnet world, it has expanded its list of rival bots, and removes them from targeted devices.

The Huawei routers being targeted by this variant/campaign are older routers. Researchers recommend replacing older routers to newer models, both for performance and security, and regularly updating newer routers to maximize protection. Most importantly, vendor default credentials should be disabled on all IoT systems (as Huawei recommended for CVE-2017-17215).