SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bashlite (Back to overview)

Bashlite

aka: gayfgt, Gafgyt, qbot, torlus, lizkebab
VTCollection     URLhaus        

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

References
2022-11-02NOZOMI Network LabsNozomi Networks Labs
Could Threat Actors Be Downgrading Their Malware to Evade Detection?
Bashlite
2022-05-20Palo Alto Networks Unit 42Ruchna Nigam
Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
Bashlite Mirai PerlBot
2022-04-19360360 Netlab
Public Cloud Cybersecurity Threat Intelligence (202203)
Bashlite Tsunami Mirai
2022-02-25360 netlabGhost
Some details of the DDoS attacks targeting Ukraine and Russia in recent days
Bashlite Mirai MooBot PerlBot
2022-02-25360 netlabGhost
Details of the DDoS attacks we have seen recently against Ukraine and Russia
Bashlite Mirai Mirai
2021-10-27AT&TFernando Dominguez
Code similarity analysis with r2diaphora
Bashlite
2021-09-07CUJOAIAlbert Zsigovits
Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered
Bashlite Mirai
2021-05-17UptycsAshwin Vamshi, Siddartha Sharma
Discovery of Simps Botnet Leads To Ties to Keksec Group
Bashlite Mirai
2021-04-15UptycsSiddharth Sharma
Mirai code re-use in Gafgyt
Bashlite Mirai
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-04360 netlabJinye
Gafgtyt_tor and Necro are on the move again
Bashlite N3Cr0m0rPh Keksec
2020-12-07AviraAvira Protection Labs
A Gafgyt variant that exploits Pulse Secure CVE-2020-8218
Bashlite
2020-07-06360 netlabYa Liu
The Gafgyt variant vbot seen in its 31 campaigns
Bashlite
2020-05-14paloalto Networks Unit 42Ruchna Nigam
Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways
Bashlite Mirai
2020-04-03Palo Alto Networks Unit 42Haozhe Zhang, Ken Hsu, Ruchna Nigam, Zhibin Zhang
Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Bashlite
2019-10-14Max Kersten's BlogMax Kersten
Corona DDoS bot
Bashlite
2018-09-09Palo Alto Networks Unit 42Ruchna Nigam
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Bashlite Mirai
2016-09-21Brian Krebs
KrebsOnSecurity Hit With Record DDoS
Bashlite
2015-09-01Virus BulletinJaromír Hořejší, Peter Kálnai
DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT
Bashlite MrBlack XOR DDoS BillGates
2014-11-13Trend MicroRhena Inocencio
BASHLITE Affects Devices Running on BusyBox
Bashlite
Yara Rules
[TLP:WHITE] elf_bashlite_auto (20230808 | Detects elf.bashlite.)
rule elf_bashlite_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects elf.bashlite."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb19 e8???????? c70016000000 e8???????? c70016000000 }
            // n = 5, score = 300
            //   eb19                 | mov                 dword ptr [esp + 4], 0x2c
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [ebp - 0x4c], eax

        $sequence_1 = { 21d0 3345fc c9 c3 55 }
            // n = 5, score = 300
            //   21d0                 | jbe                 0xcda
            //   3345fc               | dec                 esp
            //   c9                   | lea                 esi, [ebx - 0x54]
            //   c3                   | dec                 ecx
            //   55                   | cmp                 esi, 0xff

        $sequence_2 = { 750c e8???????? 8b00 83f873 }
            // n = 4, score = 300
            //   750c                 | dec                 esp
            //   e8????????           |                     
            //   8b00                 | mov                 edi, dword ptr [edx + eax*8]
            //   83f873               | js                  0x272

        $sequence_3 = { 8b85ecefffff c9 c3 55 }
            // n = 4, score = 300
            //   8b85ecefffff         | mov                 edx, 0
            //   c9                   | mov                 eax, dword ptr [ebp - 0x28]
            //   c3                   | mov                 edx, dword ptr [ebp - 0x30]
            //   55                   | mov                 eax, dword ptr [edx + eax*8]

        $sequence_4 = { 760f e8???????? c7001c000000 31c0 }
            // n = 4, score = 300
            //   760f                 | mov                 ebp, esp
            //   e8????????           |                     
            //   c7001c000000         | mov                 dword ptr [ebp - 0x14], edi
            //   31c0                 | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_5 = { 31c0 eb19 e8???????? c70016000000 }
            // n = 4, score = 300
            //   31c0                 | mov                 dword ptr [ebp - 0x4c], edx
            //   eb19                 | movzx               eax, byte ptr [ebp - 0x4c]
            //   e8????????           |                     
            //   c70016000000         | mov                 byte ptr [ebp - 0x10], al

        $sequence_6 = { e8???????? 89c2 89d0 c1e81f 01d0 d1f8 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   89c2                 | mov                 eax, dword ptr [ebp - 0x10]
            //   89d0                 | dec                 eax
            //   c1e81f               | mov                 dword ptr [ebp - 0x10], eax
            //   01d0                 | mov                 dword ptr [ebp - 4], 0
            //   d1f8                 | jmp                 0x22b

        $sequence_7 = { 85c0 750c c785ecefffff01000000 eb0a c785ecefffff00000000 }
            // n = 5, score = 300
            //   85c0                 | mov                 ebx, dword ptr [esp + 0x10]
            //   750c                 | mov                 edx, dword ptr [esp + 0x14]
            //   c785ecefffff01000000     | movzx    eax, word ptr [ebx]
            //   eb0a                 | test                edx, eax
            //   c785ecefffff00000000     | sub    esp, 8

        $sequence_8 = { 85c0 750c c785ecefffff01000000 eb0a c785ecefffff00000000 8b85ecefffff }
            // n = 6, score = 300
            //   85c0                 | cmp                 eax, 0x40
            //   750c                 | sbb                 ebx, ebx
            //   c785ecefffff01000000     | add    ebx, 2
            //   eb0a                 | cmp                 eax, 8
            //   c785ecefffff00000000     | je    0x131
            //   8b85ecefffff         | dec                 eax

        $sequence_9 = { c785ecefffff01000000 eb0a c785ecefffff00000000 8b85ecefffff c9 c3 }
            // n = 6, score = 300
            //   c785ecefffff01000000     | mov    dword ptr [edx + 4], eax
            //   eb0a                 | mov                 dword ptr [edx + esi], esi
            //   c785ecefffff00000000     | mov    eax, ecx
            //   8b85ecefffff         | mov                 dword ptr [edx + 0xc], 0x805fb94
            //   c9                   | mov                 dword ptr [edx + 4], ecx
            //   c3                   | mov                 dword ptr [edx + eax], eax

    condition:
        7 of them and filesize < 2310144
}
Download all Yara Rules