Kaiji Botnet Targets Linux Servers, IoT DevicesResearchers: Malware Is Capable of Launching DDoS Attacks
Kaiji, a newly discovered botnet, is compromising Linux servers and IoT devices using brute-force methods that target the SSH protocol, according to the security firm Intezer.
The Kaiji malware has the capability of launching distributed denial-of-service attacks, according to researchers from Intezer as well as MalwareMustDie - an independent white hat security research group. But it does not appear that any attacks stemming from this botnet have been launched so far, the reports note.
What makes Kaiji unusual is that its operators created the botnet from scratch using the Go or Golang programming language, according to the researchers. In most other cases, botnets are created by building on top of existing source code, such as the code used to create Mirai, or by using black-market toolsets.
"It is rare to see a botnet written from scratch, considering the tools readily available to attackers in black market forums and open source projects," according to the Intezer report. "This is another confirmation of an interesting trajectory noted by vendors such as Palo Alto Networks that malware developers are turning to modern languages such as Golang for their operations."
Intezer and the MalwareMustDie researchers spotted the Kaiji malware in the wild in late April. They report that the botnet is continuing to grow by targeting vulnerable Linux servers and IoT devices.
The botnet appears to be the work of a Chinese developer, the Intezer researchers note. When researchers examined the source code, they found that many of the functions in the code use English representation of Chinese words.
The Kaiji botnet is spreading by targeting SSH protocols, which use encryption to establish a remote link between a device and a server. It uses brute-force methods, attempting to use combinations of usernames and credentials to hack IoT devices or Linux servers that have ports exposed to the internet, according to the Intezer report.
The malware targets the "root" account of Linux-based devices, which then gives the operators of the Kaiji botnet full control of the device, the Intezer researchers note.
"Accessing root is important to its operation since some DDoS attacks are only available via crafting custom network packets," according to the Intezer report. "In Linux, custom network packets are only given to a privileged user such as root."
In addition to giving the operators a platform to launch a DDoS attack, the Kaiji malware also attempts to start SSH brute-force attacks against other exposed devices to help build the botnet. It also steals SSH keys in order to infect other devices to which a server previously connected.
The Intezer researchers note that they found "demo" strings in the malware source code, which could mean that "this is an early version still in testing."
Over the last several months, researchers have discovered a number of new botnets similar to Kaiji that have the ability to launch DDoS attacks. In April, for example, security firm Bitdefender noted a botnet called Dark Nexus could be rented out by cybercriminals for as little as $20 per month (see: Latest Botnet Offers DDoS Attacks on Demand).
The amount of malware targeting IoT devices is also increasing. Shrenik Bhayani, general manager for South Asia at Kaspersky Lab, previously told Information Security Media Group that malware targeting IoT devices increased 80 percent between 2018 and 2019 (see: Malware Increasingly Targets IoT Devices).