SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bashlite (Back to overview)

Bashlite

aka: gayfgt, Gafgyt, qbot, torlus, lizkebab
URLhaus        

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

References
2022-11-02NOZOMI Network LabsNozomi Networks Labs
@online{labs:20221102:could:b265e1e, author = {Nozomi Networks Labs}, title = {{Could Threat Actors Be Downgrading Their Malware to Evade Detection?}}, date = {2022-11-02}, organization = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/}, language = {English}, urldate = {2022-11-03} } Could Threat Actors Be Downgrading Their Malware to Evade Detection?
Bashlite
2022-04-19360360 Netlab
@online{netlab:20220419:public:0ce406b, author = {360 Netlab}, title = {{Public Cloud Cybersecurity Threat Intelligence (202203)}}, date = {2022-04-19}, organization = {360}, url = {https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/}, language = {English}, urldate = {2022-04-25} } Public Cloud Cybersecurity Threat Intelligence (202203)
Bashlite Tsunami Mirai
2022-02-25360 netlabGhost
@online{ghost:20220225:details:66e35e3, author = {Ghost}, title = {{Details of the DDoS attacks we have seen recently against Ukraine and Russia}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/}, language = {Chinese}, urldate = {2022-03-01} } Details of the DDoS attacks we have seen recently against Ukraine and Russia
Bashlite Mirai Mirai
2022-02-25360 netlabGhost
@online{ghost:20220225:some:268b2df, author = {Ghost}, title = {{Some details of the DDoS attacks targeting Ukraine and Russia in recent days}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/}, language = {English}, urldate = {2022-03-02} } Some details of the DDoS attacks targeting Ukraine and Russia in recent days
Bashlite Mirai MooBot PerlBot
2021-10-27AT&TFernando Dominguez
@online{dominguez:20211027:code:2d1f1be, author = {Fernando Dominguez}, title = {{Code similarity analysis with r2diaphora}}, date = {2021-10-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora}, language = {English}, urldate = {2021-11-03} } Code similarity analysis with r2diaphora
Bashlite
2021-09-07CUJOAIAlbert Zsigovits
@online{zsigovits:20210907:threat:cabca94, author = {Albert Zsigovits}, title = {{Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered}}, date = {2021-09-07}, organization = {CUJOAI}, url = {https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/}, language = {English}, urldate = {2021-09-10} } Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered
Bashlite Mirai
2021-05-17UptycsSiddartha Sharma, Ashwin Vamshi
@online{sharma:20210517:discovery:1cd5315, author = {Siddartha Sharma and Ashwin Vamshi}, title = {{Discovery of Simps Botnet Leads To Ties to Keksec Group}}, date = {2021-05-17}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group}, language = {English}, urldate = {2021-05-25} } Discovery of Simps Botnet Leads To Ties to Keksec Group
Bashlite Mirai
2021-04-15UptycsSiddharth Sharma
@online{sharma:20210415:mirai:9db8c55, author = {Siddharth Sharma}, title = {{Mirai code re-use in Gafgyt}}, date = {2021-04-15}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt}, language = {English}, urldate = {2021-04-19} } Mirai code re-use in Gafgyt
Bashlite Mirai
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-04360 netlabJinye
@online{jinye:20210304:gafgtyttor:ba71f67, author = {Jinye}, title = {{Gafgtyt_tor and Necro are on the move again}}, date = {2021-03-04}, organization = {360 netlab}, url = {https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/}, language = {English}, urldate = {2021-03-06} } Gafgtyt_tor and Necro are on the move again
Bashlite N3Cr0m0rPh
2020-12-07AviraAvira Protection Labs
@online{labs:20201207:gafgyt:62e7155, author = {Avira Protection Labs}, title = {{A Gafgyt variant that exploits Pulse Secure CVE-2020-8218}}, date = {2020-12-07}, organization = {Avira}, url = {https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218}, language = {English}, urldate = {2020-12-09} } A Gafgyt variant that exploits Pulse Secure CVE-2020-8218
Bashlite
2020-07-06360 netlabYa Liu
@online{liu:20200706:gafgyt:9fb2ccc, author = {Ya Liu}, title = {{The Gafgyt variant vbot seen in its 31 campaigns}}, date = {2020-07-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/}, language = {English}, urldate = {2020-07-06} } The Gafgyt variant vbot seen in its 31 campaigns
Bashlite
2020-05-14paloalto Networks Unit 42Ruchna Nigam
@online{nigam:20200514:mirai:65d9d83, author = {Ruchna Nigam}, title = {{Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways}}, date = {2020-05-14}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/}, language = {English}, urldate = {2020-05-18} } Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways
Bashlite Mirai
2019-10-14Max Kersten's BlogMax Kersten
@online{kersten:20191014:corona:60d807b, author = {Max Kersten}, title = {{Corona DDoS bot}}, date = {2019-10-14}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/}, language = {English}, urldate = {2021-11-03} } Corona DDoS bot
Bashlite Corona DDOS Bot
2016-09-21Brian Krebs
@online{krebs:20160921:krebsonsecurity:259c3cd, author = {Brian Krebs}, title = {{KrebsOnSecurity Hit With Record DDoS}}, date = {2016-09-21}, url = {https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/}, language = {English}, urldate = {2019-12-18} } KrebsOnSecurity Hit With Record DDoS
Bashlite
2014-11-13Trend MicroRhena Inocencio
@online{inocencio:20141113:bashlite:647137b, author = {Rhena Inocencio}, title = {{BASHLITE Affects Devices Running on BusyBox}}, date = {2014-11-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/}, language = {English}, urldate = {2019-07-10} } BASHLITE Affects Devices Running on BusyBox
Bashlite
Yara Rules
[TLP:WHITE] elf_bashlite_auto (20221010 | Detects elf.bashlite.)
rule elf_bashlite_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-10-07"
        version = "1"
        description = "Detects elf.bashlite."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite"
        malpedia_rule_date = "20221007"
        malpedia_hash = "597f9539014e3d0f350c069cd804aa71679486ae"
        malpedia_version = "20221010"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785ecefffff00000000 8b85ecefffff c9 c3 }
            // n = 4, score = 300
            //   c785ecefffff00000000     | mov    eax, dword ptr [ebp - 0x18]
            //   8b85ecefffff         | movzx               edx, byte ptr [eax + 0xd]
            //   c9                   | or                  dl, 1
            //   c3                   | mov                 byte ptr [eax + 0xd], dl

        $sequence_1 = { c1f802 89c2 89d0 01c0 }
            // n = 4, score = 300
            //   c1f802               | mov                 eax, dword ptr [ebp + 0xc]
            //   89c2                 | add                 eax, 8
            //   89d0                 | mov                 eax, dword ptr [eax]
            //   01c0                 | mov                 dword ptr [ebp - 0x58], eax

        $sequence_2 = { eb0a c785ecefffff00000000 8b85ecefffff c9 }
            // n = 4, score = 300
            //   eb0a                 | cmp                 dword ptr [ebp - 0x10], eax
            //   c785ecefffff00000000     | jae    0x40
            //   8b85ecefffff         | inc                 dword ptr [ebp - 0x10]
            //   c9                   | inc                 eax

        $sequence_3 = { eb19 e8???????? c70016000000 e8???????? c70016000000 }
            // n = 5, score = 300
            //   eb19                 | mov                 eax, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   c70016000000         | movzx               eax, ax
            //   e8????????           |                     
            //   c70016000000         | mov                 word ptr [ebp - 0x1e], ax

        $sequence_4 = { e8???????? c70016000000 e8???????? c70016000000 83c8ff }
            // n = 5, score = 300
            //   e8????????           |                     
            //   c70016000000         | jmp                 0x664
            //   e8????????           |                     
            //   c70016000000         | cmp                 edx, 0x200
            //   83c8ff               | mov                 eax, dword ptr [eax]

        $sequence_5 = { 89c2 89d0 c1e81f 01d0 }
            // n = 4, score = 300
            //   89c2                 | add                 esp, 0x10
            //   89d0                 | cmp                 eax, -1
            //   c1e81f               | mov                 esi, eax
            //   01d0                 | je                  0x258

        $sequence_6 = { c785ecefffff01000000 eb0a c785ecefffff00000000 8b85ecefffff c9 c3 }
            // n = 6, score = 300
            //   c785ecefffff01000000     | mov    dword ptr [esi + 0x24], eax
            //   eb0a                 | mov                 dword ptr [esi + 0x24], eax
            //   c785ecefffff00000000     | movzx    eax, byte ptr [edi + 8]
            //   8b85ecefffff         | movzx               edx, byte ptr [edi + 9]
            //   c9                   | shl                 eax, 8
            //   c3                   | or                  eax, edx

        $sequence_7 = { 83f8ff 750c e8???????? 8b00 83f873 }
            // n = 5, score = 300
            //   83f8ff               | dec                 eax
            //   750c                 | mov                 dword ptr [ebp - 0x1e0], 5
            //   e8????????           |                     
            //   8b00                 | cld                 
            //   83f873               | dec                 eax

        $sequence_8 = { 750c c785ecefffff01000000 eb0a c785ecefffff00000000 8b85ecefffff }
            // n = 5, score = 300
            //   750c                 | dec                 eax
            //   c785ecefffff01000000     | sub    ebp, edi
            //   eb0a                 | dec                 eax
            //   c785ecefffff00000000     | test    ebp, ebp
            //   8b85ecefffff         | jle                 0x64

        $sequence_9 = { 750c e8???????? 8b00 83f873 }
            // n = 4, score = 300
            //   750c                 | neg                 esi
            //   e8????????           |                     
            //   8b00                 | mov                 ebp, 1
            //   83f873               | jmp                 0x125

    condition:
        7 of them and filesize < 2310144
}
Download all Yara Rules