Threat Database Botnets Gwmndy Botnet

Gwmndy Botnet

By GoldSparrow in Botnets

Many cybercriminals opt to create botnets as they can be used in many different ways. For example, a network of hijacked computers can be used to launch DDoS (Distributed-Denial-of-Service) attacks. Another purpose for them is for cryptocurrency mining where the operators of the botnet employ unsuspecting users' computers to mine cryptocurrency for them, which can be very profitable. With more and more devices becoming 'smart' and having the option to connect to the Internet, cyber crooks have found a new niche to attack. This gave the rise of the IoT (Internet-of-Things) botnets. One such example is the Gwmndy Botnet.

Only 200 New Infected Devices Daily

The operators of the Gwmndy Botnet have chosen to keep it on the down-low by only infecting about 200 IoT devices a day. This is likely done so that malware researchers have a harder time spotting the activity of the Gwmndy Botnet. Another explanation may be because the creators of the Gwmndy Botnet do not need a very large botnet for whatever campaigns they are preparing to launch.

Targets East Asia

It would seem that most of the compromised devices are located in East Asia, namely the Philippines and Thailand. The Gwmndy Botnet appears to only consist of routers that have been produced by the company Fiberhome. Perhaps the motive for this is that the operators of the Gwmndy Botnet have discovered a vulnerability in the configuration of this device and are taking full advantage of it. However, some speculate that the explanation may be simpler. Perhaps the users that got infected did not change the default username and password on their devices, and the attackers simply logged in.

Works as a Proxy Server

The creators of the Gwmndy Botnet have opted to configure the routers to work as a proxy server that the attacker can use silently. Recently, there was another instance where the attackers have done just that, and it was in the case of the SystemBC malware. The exact purpose of the compromised routers is not yet clear. While the attacker may opt to use them as network infrastructure for their own malware, they may also opt to rent them out to cybercriminals.

Many IoT devices are not well configured when it comes to cybersecurity, and an increasing number of cybercriminals are taking advantage of this.


Most Viewed