XLab has released a report on the Gayfemboy botnet, a rapidly evolving threat leveraging a 0-day vulnerability in Four-Faith industrial routers. This botnet, initially a modest derivative of the infamous Mirai malware, has grown into a large-scale network with over 15,000 daily active nodes and sophisticated capabilities for Distributed Denial-of-Service (DDoS) attacks.
Unlike many Mirai-based botnets that “survive no more than 3–4 days,” the Gayfemboy botnet stands out for its persistence and adaptability. First identified by XLab in February 2024, the botnet initially exhibited few innovative features. However, its developers quickly began iterative improvements, introducing UPX polymorphic packing, custom registration packets, and the integration of known vulnerabilities.
By November 2024, Gayfemboy had reached a critical milestone, exploiting a previously unknown vulnerability in Four-Faith industrial routers (now tracked CVE-2024-12856). According to XLab, this exploit marked the botnet’s transition from “an ordinary Mirai variant into today’s unique large-scale botnet, equipped with 0-day exploitation capabilities and a ferocious attack arsenal.”
The Four-Faith industrial router vulnerability, disclosed publicly by VulnCheck on December 27, 2024, allows attackers to deliver malicious payloads. In the case of Gayfemboy, the botnet used this 0-day to spread its malware to thousands of devices globally. Exploited devices were observed executing samples with a unique parameter, faith2, as part of the infection process.
Gayfemboy also leverages a suite of other vulnerabilities and weak Telnet credentials, targeting devices from manufacturers such as Neterbit and Vimar, which remain vulnerable to undisclosed flaws.
Through extensive analysis, XLab identified Gayfemboy as maintaining over 40 device groupings and more than 15,000 daily active bot IPs. These infections are concentrated in regions such as China, the United States, Iran, Russia, and Turkey. According to the report, “when it detected our registration of its domains, it retaliated immediately with a DDoS attack—an act of notable hostility.”
The botnet’s attack capabilities are robust, capable of launching DDoS attacks with estimated traffic volumes of 100GB per assault. XLab’s observation of its Command-and-Control (C2) operations also revealed the use of hardcoded commands such as update self, start scan, and attack kill all.
XLab cautions “DDoS has become one of the most common and destructive forms of cyberattacks.” For further details, access the full report from XLab here.
Related Posts:
- Four-Faith Industrial Routers Under Attack: CVE-2024-12856 Exploited in the Wild
- Kiteshield Packer Emerges as a Significant Threat in Linux Malware Landscape
- New Melofee Backdoor Variant Targets Linux Systems with Advanced Stealth Tactics
- The Zero-Detection PHP Backdoor Glutton Exposed
- Code for exploiting Zero Day Huawei Router Vulnerability is public
- From 7,000 to 13,000: The Alarming Growth of the 7777 Botnet
