New Kaiji Botnet Targets IoT, Linux Devices

kaiji botnet malware analysis iot

The botnet uses SSH brute-force attacks to infect devices and uses a custom implant written in the Go Language.

A new botnet has been infecting internet of things (IoT) devices and Linux-based servers, to then leverage them in distributed denial-of-service (DDoS) attacks. The malware, dubbed Kaiji, has been written from scratch, which researchers say is “rare in the IoT botnet landscape” today.

Kaiji, which was discovered in late April by security researcher “MalwareMustDie” and researchers with Intezer, is unique in its custom tooling, created in the Golang programming language. Previous types of IoT malware have mainly derived their tooling from previous botnets (including multiple botnets that are variants of Mirai), which are typically written in the C or C+ programming language.

“Golang is an easier language to program in than C and enables developers to build more code much more easily than to work with C,” Paul Litvak, security researcher with Intezer, told Threatpost. “Sometimes it’s easier to build a tool from scratch than to edit an existing one. The malware developer probably felt more comfortable with code he wrote himself rather than relying on existing stuff.”

Rather than relying on exploiting unpatched flaws, Kaiji spreads exclusively through brute-force attacks against publicly accessible SSH servers that allow password-based SSH authentication, said Litvak, in a Monday analysis.

Only the “root” account is targeted, researchers said: “Accessing root is important to its operation since some DDoS attacks are only available via crafting custom network packets. In Linux, custom network packets are only given to a privileged user such as root.”

Once an SSH connection is established, a /usr/bin/lib directory is created and then Kaiji is installed under the filename ‘netstat’, ‘ps’, ‘ls’, or another system tool name.

Kaiji has relatively simple features, and in fact, Litvak told Threatpost that he believes the tool is still being tested, due to one of its functions calling the tool a “demo.” The malware’s features include various DDoS attack modules, an SSH brute-forcer module to continue its spread, and another SSH spreader that hijacks local SSH keys to infect known hosts which the server has connected to in the past.

Once the malware is executed, it copies itself to /tmp/seeintlog and launches various malicious operations, including decrypting command-and-control (C2) addresses and registering the newly infected server to one of the command servers.

Finally, the botnet fetches commands from the C2 server with instructions for specific DDoS attacks. The botnet uses a variety of attacks, including TCP, UDP, SYN and ACK flood attack capabilities, as well as IP-spoofing capabilities.

These types of attacks are common for botnets; UDP flood denial-of-service attacks, for instance, overwhelm random ports on the targeted host with IP packets containing User Datagram Protocol (UDP) datagrams; and TCP SYN DDoS attacks exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.

Researchers believe the botnet has “definitive Chinese origins,” due to some functions being named in an English representation of Chinese words.

Kaiji is only one of a recent slew of botnet strains to surface, including Dark_Nexus, MootBot and the DDG botnet.  Unlike these previously discovered botnets, Kaiji has created its own custom tooling in Golang rather than using popular implants – which researchers say is a growing trend for malware developers.

“It is rare to see a botnet written from scratch, considering the tools readily available to attackers in black-market forums and open-source projects,” said researchers with Intezer. “We have uncovered a new DDoS operation in its early stages that was written from scratch. This is another confirmation of an interesting trajectory noted by vendors that malware developers are turning to modern languages such as Golang for their operations.”

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles