Security researchers have issued a warning regarding a new variant of the Mirai botnet, known as the Gayfemboy botnet, which is actively exploiting zero-day vulnerabilities in industrial routers. This botnet has been in operation since November 2024, according to findings from Chainxin X Lab, and is rapidly spreading across the globe.
The Gayfemboy botnet primarily targets Four-Faith and Neterbit routers, as well as smart home devices. In late December, it was reported by researchers from VulnCheck that a vulnerability in Four-Faith industrial routers, identified as CVE-2024-12856, has been actively exploited. Attackers have leveraged the router’s default credentials to execute remote command injections.
In addition to targeting Four-Faith routers, the botnet has been involved in targeted attacks on undisclosed vulnerabilities in Neterbit routers and Vimar smart home devices. Chainxin X Lab’s analysis shows that the Gayfemboy botnet has exploited over 20 vulnerabilities by utilizing weak Telnet credentials to gain access. The botnet includes a brute-force module for insecure Telnet passwords, employs custom UPX packing with distinctive signatures, and uses Mirai-based command structures. This functionality allows attackers to update clients, scan networks, and conduct DDoS attacks.
Since its discovery in February 2024, the botnet has been launching attacks on hundreds of targets daily. Researchers estimate that there are approximately 15,000 active bot IPs, predominantly located in China, the United States, Russia, Turkey, and Iran. The botnet’s targets span various industries, with significant concentrations in China, the US, Germany, the UK, and Singapore.
The Gayfemboy botnet orchestrates DDoS attacks characterised by their short duration, typically lasting between 10 and 30 seconds. Nevertheless, these attacks are highly intense, with data rates exceeding 100 Gbps. As a result, this level of disruption poses a significant threat to even the most resilient infrastructures.
Vulnerable Devices
The botnet targets a range of devices, including:
- ASUS routers (via N-day exploits)
- Huawei routers (via CVE-2017-17215)
- Neterbit routers (using custom exploits)
- LB-Link routers (via CVE-2023-26801)
- Four-Faith industrial routers (exploiting the zero-day vulnerability CVE-2024-12856)
- PZT cameras (via CVE-2024-8956 and CVE-2024-8957)
- Kguard DVRs
- Lilin DVRs (via remote code execution exploits)
- Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE)
- Vimar smart home devices (presumably exploiting an unknown vulnerability)
- Various 5G/LTE devices (likely due to misconfigurations or weak credentials)
As the Gayfemboy botnet continues to evolve, it underscores the critical need for organizations to secure their devices and networks against such sophisticated threats.
