SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bashlite (Back to overview)

Bashlite

aka: gayfgt, Gafgyt, qbot, torlus, lizkebab
URLhaus        

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

References
2022-11-02NOZOMI Network LabsNozomi Networks Labs
@online{labs:20221102:could:b265e1e, author = {Nozomi Networks Labs}, title = {{Could Threat Actors Be Downgrading Their Malware to Evade Detection?}}, date = {2022-11-02}, organization = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/}, language = {English}, urldate = {2022-11-03} } Could Threat Actors Be Downgrading Their Malware to Evade Detection?
Bashlite
2022-05-20Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20220520:threat:b0d781e, author = {Ruchna Nigam}, title = {{Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)}}, date = {2022-05-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/}, language = {English}, urldate = {2023-08-28} } Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
Bashlite Mirai PerlBot
2022-04-19360360 Netlab
@online{netlab:20220419:public:0ce406b, author = {360 Netlab}, title = {{Public Cloud Cybersecurity Threat Intelligence (202203)}}, date = {2022-04-19}, organization = {360}, url = {https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/}, language = {English}, urldate = {2022-04-25} } Public Cloud Cybersecurity Threat Intelligence (202203)
Bashlite Tsunami Mirai
2022-02-25360 netlabGhost
@online{ghost:20220225:details:66e35e3, author = {Ghost}, title = {{Details of the DDoS attacks we have seen recently against Ukraine and Russia}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/}, language = {Chinese}, urldate = {2022-03-01} } Details of the DDoS attacks we have seen recently against Ukraine and Russia
Bashlite Mirai Mirai
2022-02-25360 netlabGhost
@online{ghost:20220225:some:268b2df, author = {Ghost}, title = {{Some details of the DDoS attacks targeting Ukraine and Russia in recent days}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/}, language = {English}, urldate = {2022-03-02} } Some details of the DDoS attacks targeting Ukraine and Russia in recent days
Bashlite Mirai MooBot PerlBot
2021-10-27AT&TFernando Dominguez
@online{dominguez:20211027:code:2d1f1be, author = {Fernando Dominguez}, title = {{Code similarity analysis with r2diaphora}}, date = {2021-10-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora}, language = {English}, urldate = {2021-11-03} } Code similarity analysis with r2diaphora
Bashlite
2021-09-07CUJOAIAlbert Zsigovits
@online{zsigovits:20210907:threat:cabca94, author = {Albert Zsigovits}, title = {{Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered}}, date = {2021-09-07}, organization = {CUJOAI}, url = {https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/}, language = {English}, urldate = {2021-09-10} } Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered
Bashlite Mirai
2021-05-17UptycsSiddartha Sharma, Ashwin Vamshi
@online{sharma:20210517:discovery:1cd5315, author = {Siddartha Sharma and Ashwin Vamshi}, title = {{Discovery of Simps Botnet Leads To Ties to Keksec Group}}, date = {2021-05-17}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group}, language = {English}, urldate = {2021-05-25} } Discovery of Simps Botnet Leads To Ties to Keksec Group
Bashlite Mirai
2021-04-15UptycsSiddharth Sharma
@online{sharma:20210415:mirai:9db8c55, author = {Siddharth Sharma}, title = {{Mirai code re-use in Gafgyt}}, date = {2021-04-15}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt}, language = {English}, urldate = {2021-04-19} } Mirai code re-use in Gafgyt
Bashlite Mirai
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-04360 netlabJinye
@online{jinye:20210304:gafgtyttor:ba71f67, author = {Jinye}, title = {{Gafgtyt_tor and Necro are on the move again}}, date = {2021-03-04}, organization = {360 netlab}, url = {https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/}, language = {English}, urldate = {2021-03-06} } Gafgtyt_tor and Necro are on the move again
Bashlite N3Cr0m0rPh
2020-12-07AviraAvira Protection Labs
@online{labs:20201207:gafgyt:62e7155, author = {Avira Protection Labs}, title = {{A Gafgyt variant that exploits Pulse Secure CVE-2020-8218}}, date = {2020-12-07}, organization = {Avira}, url = {https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218}, language = {English}, urldate = {2020-12-09} } A Gafgyt variant that exploits Pulse Secure CVE-2020-8218
Bashlite
2020-07-06360 netlabYa Liu
@online{liu:20200706:gafgyt:9fb2ccc, author = {Ya Liu}, title = {{The Gafgyt variant vbot seen in its 31 campaigns}}, date = {2020-07-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/}, language = {English}, urldate = {2020-07-06} } The Gafgyt variant vbot seen in its 31 campaigns
Bashlite
2020-05-14paloalto Networks Unit 42Ruchna Nigam
@online{nigam:20200514:mirai:65d9d83, author = {Ruchna Nigam}, title = {{Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways}}, date = {2020-05-14}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/}, language = {English}, urldate = {2020-05-18} } Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways
Bashlite Mirai
2020-04-03Palo Alto Networks Unit 42Ken Hsu, Haozhe Zhang, Zhibin Zhang, Ruchna Nigam
@online{hsu:20200403:grandstream:9d7d8a0, author = {Ken Hsu and Haozhe Zhang and Zhibin Zhang and Ruchna Nigam}, title = {{Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/}, language = {English}, urldate = {2023-08-28} } Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Bashlite
2019-10-14Max Kersten's BlogMax Kersten
@online{kersten:20191014:corona:60d807b, author = {Max Kersten}, title = {{Corona DDoS bot}}, date = {2019-10-14}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/}, language = {English}, urldate = {2021-11-03} } Corona DDoS bot
Bashlite
2018-09-09Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20180909:multiexploit:c3960d3, author = {Ruchna Nigam}, title = {{Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall}}, date = {2018-09-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/}, language = {English}, urldate = {2023-08-28} } Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Bashlite Mirai
2016-09-21Brian Krebs
@online{krebs:20160921:krebsonsecurity:259c3cd, author = {Brian Krebs}, title = {{KrebsOnSecurity Hit With Record DDoS}}, date = {2016-09-21}, url = {https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/}, language = {English}, urldate = {2019-12-18} } KrebsOnSecurity Hit With Record DDoS
Bashlite
2015-09Virus BulletinPeter Kálnai, Jaromír Hořejší
@techreport{klnai:201509:ddos:21c35c6, author = {Peter Kálnai and Jaromír Hořejší}, title = {{DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT}}, date = {2015-09}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf}, language = {English}, urldate = {2023-08-31} } DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT
Bashlite MrBlack XOR DDoS BillGates
2014-11-13Trend MicroRhena Inocencio
@online{inocencio:20141113:bashlite:647137b, author = {Rhena Inocencio}, title = {{BASHLITE Affects Devices Running on BusyBox}}, date = {2014-11-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/}, language = {English}, urldate = {2019-07-10} } BASHLITE Affects Devices Running on BusyBox
Bashlite
Yara Rules
[TLP:WHITE] elf_bashlite_auto (20230715 | Detects elf.bashlite.)
rule elf_bashlite_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects elf.bashlite."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7d0 21d0 3345fc c9 c3 }
            // n = 5, score = 300
            //   f7d0                 | not                 eax
            //   21d0                 | and                 eax, edx
            //   3345fc               | xor                 eax, dword ptr [ebp - 4]
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_1 = { 8945ec 837dec00 750b 8b45ec }
            // n = 4, score = 300
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   837dec00             | cmp                 dword ptr [ebp - 0x14], 0
            //   750b                 | jne                 0xd
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_2 = { e8???????? 89c2 89d0 c1e81f }
            // n = 4, score = 300
            //   e8????????           |                     
            //   89c2                 | mov                 edx, eax
            //   89d0                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f

        $sequence_3 = { 760f e8???????? c7001c000000 31c0 }
            // n = 4, score = 300
            //   760f                 | jbe                 0x11
            //   e8????????           |                     
            //   c7001c000000         | mov                 dword ptr [eax], 0x1c
            //   31c0                 | xor                 eax, eax

        $sequence_4 = { eb19 e8???????? c70016000000 e8???????? c70016000000 }
            // n = 5, score = 300
            //   eb19                 | jmp                 0x1b
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [eax], 0x16

        $sequence_5 = { eb0a c785ecefffff00000000 8b85ecefffff c9 }
            // n = 4, score = 300
            //   eb0a                 | jmp                 0xc
            //   c785ecefffff00000000     | mov    dword ptr [ebp - 0x1014], 0
            //   8b85ecefffff         | mov                 eax, dword ptr [ebp - 0x1014]
            //   c9                   | leave               

        $sequence_6 = { 750c e8???????? 8b00 83f873 }
            // n = 4, score = 300
            //   750c                 | jne                 0xe
            //   e8????????           |                     
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   83f873               | cmp                 eax, 0x73

        $sequence_7 = { 85c0 750c c785ecefffff01000000 eb0a }
            // n = 4, score = 300
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   c785ecefffff01000000     | mov    dword ptr [ebp - 0x1014], 1
            //   eb0a                 | jmp                 0xc

    condition:
        7 of them and filesize < 2310144
}
Download all Yara Rules