Kaiji Malware Brute Forces its Way In

Distributed Denial of Service (DDoS) attacks make news headlines for a number of reasons, mostly due to how they show the might of hackers in denying users a service at a whim. Whether it is government infrastructure or gamers who need to get in there hours, hackers conducting DDoS attacks can ruin anybody’s plans. While the results of these attacks are headline-generating by themselves the malware and its creation that facilitate the attack don’t get the same amount of attention. Hence why on May 3, 2020, an announcement on Twitter announcing the discovery of a new piece of malware might have gone unnoticed by the majority of Twitter’s population.

A security researcher going by the Twitter handle of MalwareMustDie announced that a new malware, named Linux/Kaiji, seemed to be making the rounds which was coded in Go and appeared to be developed somewhere in China would be of interest to the InfoSec community. If the malware is used in massive operations then it is most likely to make the headlines its developer intends. Subsequent analysis by security firm Intezer reveals that the malware has been built from scratch which in itself is quite rare with many malware developers starting development off of publically released source code.

kaiji malware attacks iot devices

Further, coding DDoS malware from scratch would not seem necessary to many hackers as the nature of such an attack is that they are easily detected due to the overt results intended by such an attack. Due to this investing in custom code and tools is not readily done, rather it is deemed sufficient to rely on previously developed code, like Mirai, for example, do get the job done.

Kaiji is unique for a number of reasons, not just because it developed from scratch. The majority of malware strains that form the DDoS family tree tend to be written in C or C++, which the malware is written in Go is most certainly worth noting. The Go Language was developed at Google by Robert Griesemer, Rob Pike, and Ken Thompson based off their shared dislike of C++ but it does share similarities with C++, namely that it is statically typed and is run-time efficient but it is also easier to read and user friendly like Python or JavaScript. As Go, or sometimes referred to as GoLang, is a relatively new language, released in 2009, to be developed malware written in the language is not common, however, since the language's release, security researchers are seeing the language being used more in malware development. In a report by Palo Alto, it was concluded,

“Overall, this research exercise proved to be enlightening to me personally for a number of reasons. While certain preconceived notions around the prevalence of pentesting-related Go malware were indeed confirmed, there was also a wealth of different true malware families present. These malware families ranged from backdoors to botnets to banking Trojans. The overall low number of malware samples identified also was an interesting data point, showing that generally speaking, Go malware still has not gained a significant interest from malware developers. However, the timelines of the identified malware sample’s first seen timestamps indicate that Go malware is gaining popularity. Looking at the specific timeframe of January to March between 2017 to 2019, we see a significant rise where the number of identified malware samples rose by a factor of almost 20 (+1944%)."

Go malware is still in its infancy. However, it is gaining the attention of both malware developers as well as the security community in general, as new malware families are discovered and published frequently. Because the developers may compile a single code base against all major operating systems, it is my belief that Go will constitute a much larger market share of developed malware in the years to come, and should be on the security community’s proverbial radar.

SSH Brute Forcing

According to researchers Kaiji has already been seen in the wild, slowly spreading and infecting devices to create a large and robust botnet. Unlike other DDoS malware that uses known exploits and vulnerabilities to spread and infect targeted devices, Kaiji relies solely on brute-forcing its way into IoT devices and Linux Servers in order to spread. Kaiji uses a tactic known as a brute force SSH attack which is by known means a new tactic. Some researchers believe the earliest attacks using this tactic may have occurred over 15 years ago. Central to the tactic is the targeting of an SSH server that are typically used to transfer data between two computers over an untrusted network. The brute force attack involves injecting numerous password and username credentials into login attempts to order to find the correct one which grants them access to the SSH server protocol which in turn grants the attacker administrative privileges that allow the attacker to execute malicious code.

In the case of Kaiji, only the “root” or initial account is targeted. This is because the malware needs root access to infected devices in order to manipulate raw network packets for the DDoS attacks they want to carry out, and the other operations they want to carry out. Once it gains access to a device's root account, Kaiji will use the device in three ways. First, for DDoS attacks. Second, to carry out more SSH brute-force attacks against other devices. Third, it steals any local SSH keys and spreads to other devices the root account has managed in the past.

Still Under Development

Kaiji activity was first detected in April 2020 by researchers at Intezer and since then six different DDoS campaigns have been conducted by the malware’s author. Despite this, the malware appears to still be under development. When compared to more established botnets the code lacks a number of features its rivals have. Certain strings in the code contained the word “demo” indicating that it was complete. Further, the code itself upon executing would call itself a number of times. This went beyond the point of being unnecessary and would actually cause the malware to exhaust the device's memory and crash, a goal botnet malware authors want to avoid at all cost as many of them don’t persist after a crash or device restart. The last indicator that the malware is still under development is that the command and control server would often go offline leaving botnets instruction less and liable to be hijacked by another competing botnet.

When the discovery was initially announced MalwareMustDie believed the malware author to be a Chinese malware author. This view is shared by Intezer researchers, with their report stating,

“There exist 13 central goroutines which are important for the implant’s operation. Many of these functions are named in an English representation of Chinese words. We have highlighted the most interesting functions and added a translation from Chinese to relevant functions:
main_rundingshi (漢字: run timing): Install persistence through crontab
main_runganran (漢字: run infection): Another persistence technique, backdoor the SSH init script /etc/init.d/ssh to call the rootkit on startup
main_runshouhu (漢字: run surgery): Copy the rootkit to /etc/32679 and run it every 30 seconds
main_runkaiji (漢字: run boot): Install more persistence init.d files, e.g.: /etc/init.d/boot.local”

Despite the malware still being in apparent development both Intezer and MalwareMustDie will continue to monitor the malware’s evolution. Kaiji also seems to highlight further the current trend of botnets in that they are becoming smaller. In the past it was almost a race by botnet operators to see how many devices they could infect in order to create supermassive botnets, in some instances over 500,000. The modern-day botnet ecosystem now only really sees large and successful botnets topping out 16,000 infected devices. The botnet ecosystem itself has become a place of intense competition which is one of the reasons the ecosystem has become so fragmented as competition for devices is fierce.

The likelihood of the world seeing botnets top the hundreds of thousands is unlikely but then again stranger things do happen. Kaiji appears to have been developed primarily with DDoS attacks in mind. The threat posed by botnets does not end there, in the past botnets have been seen distributing other malware types including ransomware and banking trojans. While Kaiji is still in its infancy and not been actively used in major campaigns the threat posed by the malware in the future. Intezer concluded that concerning Kaiji and other GoLang malware,

“It is rare to see a botnet written from scratch, considering the tools readily available to attackers in black market forums and open source projects. In this post, we have uncovered a new DDoS operation in its early stages that was written from scratch. This is another confirmation of an interesting trajectory noted by vendors such as Palo Alto that malware developers are turning to modern languages such as Golang for their operations.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal