Kaiji IoT Botnet

First observed in April 2020, Kaiji is a Go-based worm and botnet associated with an ongoing campaign targeting exposed Linux servers and Internet-of-Things (IoT) devices. Unusually for IoT malware, Kaiji appears to be entirely bespoke and does not contain any code from more well-known botnets such as Mirai.

Threat ID:: CC-3449
Category:: Worm
Threat Severity:: Low
Threat Vector:: Insecure network
Published:: 6 May 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Linux web servers
Linux-based IoT devices

Threat details

Kaiji is distributed via SSH brute-force attacks against exposed root user accounts. If an SSH session is successfully created, a bash script is then executed to install Kaiji on the affected system.

Once installed, Kaiji will connect to a command and control server to retrieve a list of IP ranges to attempt further brute-force attacks against and a second list of target IP addresses, which Kaiji will perform a number of distributed denial-of-service attacks against. At the time of publication, Kaiji is able to perform ACK, IPSpoof, SYN, SYNACK, TCP, and UDP flood attacks.

Threat updates

Date	Update
25 Jun 2020	p>Kaiji is now targeting vulnerable Docker systems. After identifying Docker hosts exposed over port 2375, the group operating Kaiji deliver an ARM container containing a copy of the malware and a startup script, before executing it. The script will then launch Kaiji before deleting all Docker components that aren't required for Kaiji to perform DDoS attacks.

Remediation steps

Type	Step
	To prevent and detect an infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages. Additionally, to protect against a distributed denial-of-service (DDoS) attack, organisations should ensure: They have suitable DDoS mitigation tools. They have a suitable DDoS mitigation plan in place. Should an organisation suspect it is subject to an active DDoS attack, they should ensure that every effort is made to stop the attack and restore service. However, care should be taken to ensure that the attackers are not using the DDoS attack as a distraction whilst other, potentially more sensitive, systems are exploited. Monitoring of critical systems is recommended, including the use of host-based intrusion prevention and detection systems (HIPS/HIDS) where appropriate.

Type

Step

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Additionally, to protect against a distributed denial-of-service (DDoS) attack, organisations should ensure:

They have suitable DDoS mitigation tools.
They have a suitable DDoS mitigation plan in place.

Should an organisation suspect it is subject to an active DDoS attack, they should ensure that every effort is made to stop the attack and restore service. However, care should be taken to ensure that the attackers are not using the DDoS attack as a distraction whilst other, potentially more sensitive, systems are exploited. Monitoring of critical systems is recommended, including the use of host-based intrusion prevention and detection systems (HIPS/HIDS) where appropriate.

Indicators of compromise

Main indicators

URLs

1.versionday[.]xyz
2s11[.]com
62[.]171[.]160[.]189/linux_arm
62[.]171[.]160[.]189/11/123.sh
6×66[.]com
aresboot[.]xyz
cu.versiondat[.]xyz

SHA256 File Hashes

0ed0a9b9ce741934f8c7368cdf3499b2b60d866f7cc7669f65d0783f3d7e98f7
357acbacdb9069b8484f4fdead1aa946e2eb4a505583058f91f40903569fe3f3
370efd28a8c7ca50275957b47774d753aabb6d7c504f0b81a90c7f96c591ae97
4e8d4338cd3b20cb027a8daf108c654c10843e549c3f3da6646ac2bb8ffbe24d
9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7
9301d983e9d8fad3cc205ad67746cd111024daeb4f597a77934c7cfc1328c3d8
98aee62701d3a8a75aa19028437bc2d1156eb9bfc08661c25db5c2e26e364dca
9f090a241eec74a69e06a5ffed876c7a37a2ff31e171924673b6bb5f1552814c
d315b83e772dfddbd2783f016c38f021225745eb43c06bbdfd92364f68fa4c56
f4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a

Last edited: 29 June 2021 12:01 pm