- Intezer has discovered a new Chinese origin botnet that targets servers and IoT devices via SSH brute forcing.
- Unlike common botnets that use implants from popular open source or dark web tools, Kaiji uses custom implants.
- It has been built from scratch in the Golang programming language, which is uncommon in IoT botnets.
- Though simple, Kaiji has the capabilities to launch:
- Multiple DDoS attacks such as ipspoof and synack attacks
- An SSH bruteforcer module to continue the spread
- An SSH spreader which hijacks local SSH keys to infect hosts that the server has connected to previously.
Initial Infection
- Kaiji spreads via SSH brute forcing by targeting root users.
- Since it requires packet crafting capability, which can be executed only via a root user, it only targets the root user.
Execution
- After establishing an SSH connection, it executes a bash script to set up the environment for the malware.
- Then a /usr/bin/lib directory is created.
- And the malware is installed under the filename ‘netstat’, ‘ps’, ‘ls’, or some other system tool name.
- Once executed, Kaiji gets copied to /tmp/seeintlog and launches a second instance that initiates its operations. The implants’ operations consist of 13 central goroutines.
- The doLink routine, decrypts the C2 address and registers the infected server with a command server.
- It then launches the doTask and RotKit goroutines.
- The main_doTask routine fetches commands from the C2, including:
- DDoS instructions
- SSH bruteforce instructions, including host range and a password to attempt login
- Run shell command
- Replace C2 servers
- Delete itself and remove all persistence
- To carry out a DDoS attack, it retrieves an attack technique and a target, including:
- Two TCPFlood implementations (one with raw sockets)
- Two UDPFlood implementations (one with raw sockets)
- IPSpoof attack
- SYNACK attack
- SYN attack
- ACK attack
- The ddos_Rotkit routine tries to connect to known hosts via SSH RSA keys or IPs found in bash history.
Persistence
The malware installs persistence through rc.d and Systemd services:
- main_runghost: Installs persistence through /etc/profile.d (/etc/profile.d/linux.sh)
- main_rundingshi: Installs persistence through crontab
- main_runganran: Backdoor for the SSH init script /etc/init.d/ssh to call the rootkit on startup
- main_runshouhu: Copies the rootkit to /etc/32679, and runs it every 30 seconds.
- main_runkaiji: Installs more persistence init.d files, e.g.: /etc/init.d/boot.local
- ddos_rdemokill: Periodically checks the CPU and kills it if it is > 85%.
Indicators of Compromise
- 4e8d4338cd3b20cb027a8daf108c654c10843e549c3f3da6646ac2bb8ffbe24d
- 9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7
- 98aee62701d3a8a75aa19028437bc2d1156eb9bfc08661c25db5c2e26e364dca
- 0ed0a9b9ce741934f8c7368cdf3499b2b60d866f7cc7669f65d0783f3d7e98f7
- F4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a
- 9f090a241eec74a69e06a5ffed876c7a37a2ff31e171924673b6bb5f1552814c
- 370efd28a8c7ca50275957b47774d753aabb6d7c504f0b81a90c7f96c591ae97
- 357acbacdb9069b8484f4fdead1aa946e2eb4a505583058f91f40903569fe3f3
- cu.versiondat[.]xyz
- 1.versionday[.]xyz
- www.aresboot[.]xyz
- www.6×66[.]com
- www.2s11[.]com