Custom malware Kaiji targets IoT devices via SSH brute forcing

Chinese origin botnet, Kaiji, built from scratch in the Golang language, can launch multiple DDoS attacks, SSH bruteforcer, SSH spreader.

Share this Intel:

  • Intezer has discovered a new Chinese origin botnet that targets servers and IoT devices via SSH brute forcing. 
  • Unlike common botnets that use implants from popular open source or dark web tools, Kaiji uses custom implants. 
  • It has been built from scratch in the Golang programming language, which is uncommon in IoT botnets. 
  • Though simple, Kaiji has the capabilities to launch:
    • Multiple DDoS attacks such as ipspoof and synack attacks
    • An SSH bruteforcer module to continue the spread
    • An SSH spreader which hijacks local SSH keys to infect hosts that the server has connected to previously. 

Initial Infection

  • Kaiji spreads via SSH brute forcing by targeting root users. 
  • Since it requires packet crafting capability, which can be executed only via a root user, it only targets the root user. 

Execution

  • After establishing an SSH connection, it executes a bash script to set up the environment for the malware.
  • Then a /usr/bin/lib directory is created. 
  • And the malware is installed under the filename ‘netstat’, ‘ps’, ‘ls’, or some other system tool name. 
  • Once executed, Kaiji gets copied to /tmp/seeintlog and launches a second instance that initiates its operations. The implants’ operations consist of 13 central goroutines.
  • The doLink routine, decrypts the C2 address and registers the infected server with a command server. 
  • It then launches the doTask and RotKit goroutines.
  • The main_doTask routine fetches commands from the C2, including:
    • DDoS instructions
    • SSH bruteforce instructions, including host range and a password to attempt login
    • Run shell command
    • Replace C2 servers
    • Delete itself and remove all persistence
  • To carry out a DDoS attack, it retrieves an attack technique and a target, including:
    • Two TCPFlood implementations (one with raw sockets)
    • Two UDPFlood implementations (one with raw sockets)
    • IPSpoof attack
    • SYNACK attack
    • SYN attack
    • ACK attack
  • The ddos_Rotkit routine tries to connect to known hosts via SSH RSA keys or IPs found in bash history.

Persistence

The malware installs persistence through rc.d and Systemd services:

  • main_runghost: Installs persistence through /etc/profile.d (/etc/profile.d/linux.sh)
  • main_rundingshi: Installs persistence through crontab
  • main_runganran: Backdoor for the SSH init script /etc/init.d/ssh to call the rootkit on startup
  • main_runshouhu: Copies the rootkit to /etc/32679, and runs it every 30 seconds.
  • main_runkaiji: Installs more persistence init.d files, e.g.: /etc/init.d/boot.local
  • ddos_rdemokill: Periodically checks the CPU and kills it if it is > 85%. 

Indicators of Compromise

  • 4e8d4338cd3b20cb027a8daf108c654c10843e549c3f3da6646ac2bb8ffbe24d
  • 9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7
  • 98aee62701d3a8a75aa19028437bc2d1156eb9bfc08661c25db5c2e26e364dca
  • 0ed0a9b9ce741934f8c7368cdf3499b2b60d866f7cc7669f65d0783f3d7e98f7
  • F4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a
  • 9f090a241eec74a69e06a5ffed876c7a37a2ff31e171924673b6bb5f1552814c
  • 370efd28a8c7ca50275957b47774d753aabb6d7c504f0b81a90c7f96c591ae97
  • 357acbacdb9069b8484f4fdead1aa946e2eb4a505583058f91f40903569fe3f3
  • cu.versiondat[.]xyz
  • 1.versionday[.]xyz
  • www.aresboot[.]xyz
  • www.6×66[.]com
  • www.2s11[.]com

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.

Subscribe now