- Three new campaigns containing around 11 exploits have been detected.
- The campaigns are using new DDoS attack techniques.
Security researchers have uncovered three new campaigns that have been built on the publicly available source code of the Mirai and Gafgyt malware families. Malware samples used by these campaigns have incorporated multiple exploits - in some cases one sample was found to contain 11 exploits.
The campaigns also support several new DDoS attack methods that have previously not been used by any Mirai variant. The first campaign leveraged the Omnibot - a Mirai variant, while the second campaign leveraged Okane.
Unlike the malware samples used by the Omnibot campaign, Okane malware samples performed a credential brute force attack. Meanwhile, the third campaign leveraged Hakai, Gafgyt source code, which is also known as Bashlite, Lizkebab, Torlus or LizardStresser.
According to security researchers at Palo Alto networks, who discovered the new campaigns, the Gafgyt botnet has been upgraded with new Layer-7 DDoS attacks targeting specific DDoS protection service vendors.
“The evolution of these botnets to the use of multiple exploits, be it IoT Reaper or the campaigns discussed here, shows how attackers can build enormous botnets consisting of different types of devices, all responding to the same C2 server,” the researchers said in a blog.
“This is exacerbated by the speed of exploitation in the wild of newly released vulnerabilities and also highlights the need for security vendor reactivity in response to these disclosures, applicable to the subset of these devices that do fall under the protection of security devices.”