Posted on May 5, 2020 at 2:22 PM
Researchers say New Kaiji Botnet Uses SSH Brute-Force to Target IoT Devices
Researchers have discovered new malware designed to target Smart Internet of Things (IoT) devices and Linux-based servers. According to the researchers, the malware, named Kaiji, was released by a Chinese developer for the main purpose of infesting systems through DDoS attacks.
Kaiji was discovered by a team of security researchers at Interzer Labs as well as a security researcher known as MalwareMustDie.
Malware is unlike other loT malware
The researchers pointed out that Kaiji malware is not like other malware that infects IoT devices. That’s because it’s not written in the usual C++ programming language but the Go programming language.
The Go programming language used in developing malware is not as common as the C++ programming malware, as the researchers pointed out.
The C++programs are very common on the darknet, which makes them easier to recreate and design. That’s why they are more common compared to Go programming malware.
Many IoT malware actors would rather pick something readily available than choosing to design a new botnet from scratch. And several IoT botnets are a combination of different modules and parts drawn from different strains.
A malware analyst at Intezer, Paul Litvak, said the IoT botnet systems have been properly documented by cybersecurity experts over the years. He further stated that the new code used by these hackers was build from scratch, which is something you don’t see frequently in attacks targeting IoT devices.
“It is not often that you see a botnet’s tooling written from scratch,” he said after analyzing the new code.
KAIJI is spread through SSH Brute-force attacks
MalwareMustDie and Litvak revealed that Kaiji has initially been discovered in the wild, and is gradually infecting new systems and spreading across the world.
Litvak said the botnet doesn’t have the capability of utilizing exploits to compromise unpatched devices at the moment. Instead, it executes brute-force attacks against Linux servers and IoT devices which have allowed their SSH to be exposed online.
Litvak further reiterated that only the “root” account is infected because the botnet requires root access to compromise devices.
After gaining access to the root account of the device, the botnet makes use of the device in three different ways. First, it could steal any local SSH keys and spread to other devices the main account has kept previously. Secondly, Kaiji can activate more SSH brute force attacks on other devices. Thirdly, and the most common way it uses the device, is through DDoS attacks.
KAIJI may not be the final output yet
There is strong evidence that the Kaiji malware may still be passing through the developmental phase yet. This means the malware could even be more potent in the future.
When the researchers compared their codes with other more established botnets, it lacked certain features. In some instances, the botnet crashes as the rootkit usually calls itself too many times. And in some cases, the botnet still contains “demo” strings.
Additionally, the command and control servers of the botnet sometimes go offline, allowing it to be vulnerable against other botnets and leaving compromised devices with no master server.
Recent IoT botnets are now fragmented
The IoT malware has seen some recent developments, with the Kaihi botnet being the latest to appear on the scene.
In the past, botnets can go as far as infecting over 500,000 devices. But these days, the majority of the IoT botnets do not even go beyond 20,000 infected devices.
The emergence of open-source botnet kits has made it possible for more botnets to be active daily. They are looking to compromise the IoT devices connected online. That means the IoT botnet scene is now divided among different segments, with each player concentrating on a particular field.
The botnet could pose a threat in the future
Presently, Litvak and MalwareMustDie are tracking the development of Kaiji as both of them said the malware could become a very big threat in the future.
The two researchers have also agreed that the actors responsible for the botnet are Chinese developers. From the findings of the researchers, the majority of the functions in the code were interpreted from Chinese terms.
