New IoT Botnet Uses Tor to Obfuscate C2 Communications, Researchers Find

Security researchers discovered that a new variant of the Gafgyt malware is on the loose, attacking D-Link routers and a couple of other IoT devices. The most significant difference from its predecessors is its use of Tor to hide its communication with the command and control center. Malware targeting IoT devices is becoming more common as the number of smart appliances and other hardware arrives onto the market.

The attacks on these targets are more sophisticated as developers close vulnerabilities and security companies identify malware campaigns.

The Gafgyt has been around for a while, but now a new variant is active in the wild, targeting D-Link (CVE-2019-16920), Citrix (CVE-2019-19781) and Liferay Portal RCE. Dubbed Gafgyt_tor, it uses the Tor network to cover its C2 communication to hide its malicious activity.

“Further analysis revealed that the family is closely related to the Necro family we made public in January and is behind the same group of people, the so-called keksec group,” said NetLab 360 researchers.

As usual with these types of IoT botnets, they target devices through the Telnet protocol, often left open and with weak credentials. Attackers also use three distinct vulnerabilities, all of which have been around for some time. Unfortunately, some affected devices (D-Link routers) are also reported to have reached their end of life, which means the manufacturer hasn’t fixed the problem through a patch. The only way to stay safe is to replace the router entirely.

The malware aims to compromise the device and turn it into a DDoS attack and scanning machine. The same group that deploys the Gafgyt_tor malware is also likely responsible for the Necro and Tsunami Botnets.