Security researchers at Intezer Labs and an individual researcher named MalwareMustDie have discovered a new malware strain that affects Linux-based servers and IoT devices. Reports suggest that the botnet is of Chinese origin and targets root users.
What makes Kaiji different from other malware is that it is developed using the Go programming language instead of C or C++, which are the most common languages for programming malware strains.
Malware based on Go programming language is a rare occurrence as a majority of malware operators use free C and C++ projects available on Github to develop malware. Developing malware from scratch using Go language is a tedious task.
According to Paul Litvak from Intezer, “The Internet of things (IoT) botnet ecosystem is relatively well-documented by security specialists. It is not often that you see a botnet’s tooling written from scratch.”
Kaiji targets exposed SSH ports
Guys, another new #China (#PRC) made #DDoS #ELF #malware, I called it: "#Linux/Kaiji", coded in #Go lang, packed, VT low detection=1. You may want to block #C2 at:
1[.]versionday[.]xyz at 66[.]11[.]125[.]66 (at 220.127.116.11/24)
Good for ur @radareorg RE🥰https://t.co/YYDZ54BW26 pic.twitter.com/MIQQihhmXo
— ☩MalwareMustDie (@malwaremustd1e) May 3, 2020
A report by security analysts suggests that the botnet is not yet advanced enough to exploit unpatched devices. Kaiji uses a brute force attack to target IoT devices and Linux servers that have their SSH ports exposed on the internet.
The botnet targets only root accounts because it requires root access to manipulate raw network packets for DDoS attacks and other malicious activities.
Once the malware gains access to the root account successfully, it can affect devices in 3 different ways:
- Carrying out DDoS attacks
- Carrying out more SSH-Brute force attacks against other devices
- Steal SSH keys to spread to other devices that it has compromised in the past
Security researchers have revealed that Kaiji botnet is still a work in progress as they have found that it still lacks features and has “demo” strings in some code fragments.
Recently, we have seen an increase in the number of malware targeting Linux servers, and Kaiji is another example of malware authors moving their focus to Linux and IoT devices.