Linux Remaiten malware is stepping up deployment of Iot device botnets

Linux Remaiten malware is stepping up deployment of Iot device botnets

 

 

Researchers at the ESET security company found a malware targeted at Iot devices such as routers, gateways, and wireless access points.

"Bot backdoor" and "scanner" crossbred

The malware, known as KTN-Remastered or KTN-RM, is a combination of Tsunami (or Kaiten) and Gafgyt. As a well-known Internet Relay Chat Bot backdoor, Tsunami is used by malicious attackers to initiate DDOS attacks, while Gafgyt is used for remote login scanning.

KTN-RM, researchers also call it "Remaiten" by downloading executable malicious binary files and infecting embedded platforms and other connected devices.

The ESET company said in an article published on the official microblog:

"Recently, we have discovered a malware that integrates Tsunami (also known as Kaiten) and Gafgyt features. In addition, it has some improvements and new features. We call this new threat Linux/Remaiten. So far, we have found three Linux/Remaiten versions, 2.0, 2.1, and 2.2. Based on the code, the discoverer calls the new malware "KTN-Remastered" or "KTN-RM "."

How does Linux malware run?

The malware first performs remote login scanning to find routers and smart devices. Once the connection is successful, malware guesses the login creden。 and tries to control some devices with weak passwords.

If you log on successfully, the malware will issue a shell command to download the robot, download the malicious binary file for multiple system architectures, and then run it on the damaged system.

The ESET security researchers also found that these binary files include the hard-coded list of IP addresses of the C & C server, and the robot will also be infected with device information (that is, IP addresses, login creden, and infection status) sent to the control server.

"When the command executes a remote logon scan, it tries to connect to the random IP address on port 23. If the connection is successful, it tries to guess the login creden。 from the embedded list of the username/password combination. If you log on successfully, it sends a shell command to the download robot, downloads malicious binary files for Multiple Architectures, and tries to run them. This is a simple way to infect new devices, even though it seems cumbersome, because a binary file may be executed in the running program ."

For more technical details, click the official blog article published by ESET on Wednesday.