Gwmndy malware turns Fiberhome routers into proxy nodes

• The malware also collects router information such as device IPs so that threat actors have a hold on the routers regardless of IP changes.
• It also provides a web interface for attackers and used backdoor passwords for creating SSH tunnels.

A new malware targeting Fiberhome routers has been identified by security researchers. Dubbed as ‘Gwmndy’, the malware is being used to turn the routers into proxy nodes. It is reported that the malware is a part of an ongoing IoT botnet campaign.

Gwmndy was discovered by researchers from Qihoo 360. They spotted an ELF file on their detection systems on July 24, which turned out to be a component of the malware.

Key highlights

• The ELF file encountered by the researchers was found collecting router information such as device IP. This information was relayed to a remote interface that is used by attackers to control the router even if the IP gets changed.
• After this, the attackers behind Gwmndy used backdoor passwords in the devices to create SSH tunnels, and subsequently creating a SOCKS5 proxy service.
• The components of Gwmndy include vpn.sh, SSH client programs, a ‘Reporter’ (the ELF file) and a web interface for relaying information. It also uses legitimate software such as Dropbear.
• Information collected by the ‘Reporter’ file includes local SSH ports, shadow passwords, public IP addresses, and MAC addresses of the router.

Malware distribution remains unknown

Although the Qihoo researchers detailed the features of the malware, they found no information on how it was distributed. “We didn't see how Gwmndy malware spread, but we know that some Fiberhome router Web systems have weak passwords and there are RCE vulnerabilities,” wrote the researchers.

Furthermore, they also advised Fiberhome router users in Thailand and the Philippines to keep the device software updated.