A new botnet campaign with Chinese origins, dubbed "Kaiji" targeting Linux servers and IoT devices through SSH-brute forcing, was discovered by researchers at Intezer Labs.
While other such attackers get implants from popular sources like open source or blackmarket toolsets, this particular botnet employs a custom implant, from which its name Kaiji is derived based on one of the functions. Also, the botnet was built using the Golang programming language, which is very rare in the IoT botnet ecosystem.
Albeit, the security analysts believed that the botnet isn't advanced enough to exploit most devices, as Kaiji uses a brute force attack to target those IoT devices and Linux servers with their SSH ports exposed.
How Kaiji targets IoT devices with exposed SSH ports
The botnet, Kaiji spreads exclusively through SSH-brute force attacks targeting root users only, and access to root is important for its operation as such DDoS attacks are possible via crafting own network packets. While for Linux, such custom network packets are given to privileged users such as a root user.
If an SSH connection is established, it executes a bash script which sets up the environment for the malware, thus:
A /usr/bin/lib directory is created and then Kaiji is installed under the filename ‘netstat’, ‘ps’, ‘ls’, or some other system tool name.
Kaiji main features consists of multiple DDoS attacks like synack and ipspoof attacks, with an ssh bruteforcer module to maintain the spread, through an ssh spreader that relies on hijacking local SSH keys to infiltrate known hosts which the server connected in the past.
How to Protect your Linux and cloud servers
Malware threats targeting Linux are on the rise, with Kaiji as a new DDoS operation in its early stages.
Another major threat is the Mirai botnet that infected hundreds of thousands of IoT devices used to launch some of the largest DDoS attacks in history. It spreads in a worm-like manner through Telnet connections by taking advantage of default administrative details on smart devices, which unfortunately, most users don't change.
Therefore, it is recommended that Linux users should make sure that their servers are patched as at when due, and the server software are up-to-date, and more importantly, ensure that they change the default administrative password.