In September 2023, NSFOCUS’s global threat hunting system detected a wave of new botnet variants based on Mirai, with hailBot, kiraiBot, and catDDoS emerging as highly active and widespread threats.
These variants have been evolving and deploying sophisticated techniques, posing a significant danger to the cybersecurity landscape. As this article reveals, the Mirai variants exhibit distinct characteristics, such as hailBot’s focus on exploratory test attacks, kiraiBot’s incorporation of unique design elements, and catDDoS’s use of the ChaCha20 algorithm for encryption.
HailBot, derived from Mirai, has modified its go-live data packet and supports various DDoS attack methods. Its controller has been actively building a botnet based on Mirai source code and has targeted financial institutions and IoT platforms, making it a multi-faceted attacker. KiraiBot, another recent addition to the Mirai family, implements persistence and scans for weak passwords, with its activities concentrated in August and September 2023.
CatDDoS introduces the ChaCha20 algorithm for encryption and displays a global distribution of attack targets, focusing on China and the United States. The controller of catDDoS prioritizes concealing the Trojan horse, introducing complex techniques like OpenNIC domains.
In recent years, numerous botnet families have emerged, often based on Mirai and Gafgyt codes. Attackers are constantly working to enhance the stealthiness of these trojans, focusing on file-side improvements and manipulations of communication methods. Understanding these evolving tactics is crucial for effective threat mitigation and cybersecurity efforts in a rapidly changing landscape.
