With the rise of IoT connecting potentially billions of devices, the control that can be gained by exploiting them automatically becomes lucrative for attackers. This has led to the creation of IoT malware specifically targeting such networks.
One such example has been seen recently with Kaiji, a new IoT malware discovered by a security researcher dubbed MalwareMustDie and a team of researchers at Intezar that also targets Linux based servers in addition to IoT devices.
On the other hand, Kaiji does it by brute-forcing any SSH ports that have been left exposed on these devices, however, it only targets the root users. The reason for this as explained by the researchers is that the infection’s purpose is to conduct DDoS attacks and for this, it needs to create custom network packets.
The authority to do so is only available with Root users in Linux and hence it makes sense to not target other users. Once it gains SSH access in this way, Kaiji is installed under one of a number of different names such as ‘netstat’, ‘ps’, or ‘ls’.
Guys, another new #China (#PRC) made #DDoS #ELF #malware, I called it: “#Linux/Kaiji”, coded in #Go lang, packed, VT low detection=1. You may want to block #C2 at:
1[.]versionday[.]xyz at 66[.]11[.]125[.]66 (at 22.214.171.124/24)
Good for ur @radareorg RE🥰https://t.co/YYDZ54BW26 pic.twitter.com/MIQQihhmXo
— ☩MalwareMustDie (@malwaremustd1e) May 3, 2020
Then it starts performing malicious activities which can be broadly divided into 3 categories:
- Conducting DDoS attacks,
- Continue the aforementioned SSH attack vector against other devices,
- Stealing any local SSH keys available and using them to attack any other devices that the server connected with in the past.
A rare aspect of this IoT malware is that it was written from scratch. Usually, we have seen IoT malware coded in C or C++ yet Kaiji is uniquely programmed in the Go language representing a shift away from the norm.
This results in problems for security researchers because they have to interpret the malware from scratch, something already done to a considerable extent in the usual mix-and-match written programs made from open source code available on sites like Github.
It is rare to see a botnet written from scratch, considering the tools readily available to attackers in blackmarket forums and open source projects, wrote Paul Litvak of Intezer in a blog post.
On the other hand, this may not be its final version. Researchers say so by witnessing the presence of multiple abnormalities in the code, those that would not be found in an established botnet otherwise.
Examples include “the rootkit invoking itself too many times, leaving the machine gasping for memory” and incidents such as the C2 server going offline which leaves the devices under its command susceptible to an attack by other botnet systems – something you do not want to maintain your computing power consistently.
For the future, we can expect to see more malware strains popping up using modern languages, something that would require cybersecurity researchers to adopt accordingly – both to catch the bad guys and protect users.