Gayfemboy

Gayfemboy is a malware strain that infects corporate electronics including those from DrayTek, TP-Link, Raisecom, and Cisco by utilizing CVEs. It has affected companies in Brazil, France, Germany, Israel, Mexico, the United States, Switzerland, and Vietnam, and is impacting sectors such as construction, manufacturing, technology, and media/communications.

== History == The malware was first discovered in February 2024 by security researchers at Fortinet after a large amount of attacks were done by the Gayfemboy malware in January where the malware used the infected machines as a botnet to launch a wave of DDoS attacks against target websites. Known samples currently were obfuscated with a UPX packer but its header "UPX!" was replaced by non-printable characters in hexadecimal code "10 F0 00 00" making detection harder. Upon execution, the malware investigates the paths of each process located in "/proc/[PID]/exe" to gather information regarding active processes and their respective locations within the file system. It loads 47 command strings into memory and reviews all entries in "/proc/[PID]/cmdline". If a match is found, it terminates the corresponding process. These commands encompass "ls -l", "reboot", "wget", among others. The Monitor is employed for self-preservation and to detect sandboxes. If Gayfemboy identifies that the malware process has been terminated, it initiates a restart. Due to a delay of 50 nanoseconds, the malware is capable of detecting a sandbox, which is unable to manage such a finely tuned delay, resulting in the failure of the invoked function and leading the malware to "misinterpret" the outcome, subsequently triggering a 27-hour dormant state for the malware.