Overview
The emergence of the Kaiji malware strain in 2020 marked a significant shift in how cybercriminals are targeting Internet of Things (IoT) devices and Linux-based servers. Unlike many of its predecessors, which often repurpose existing botnet code, Kaiji was developed from scratch, introducing a new set of challenges for cybersecurity professionals. Named after a function observed in its code as well as a Japanese manga series, Kaiji quickly gained attention for its unusual approach to compromising devices and launching large-scale distributed denial-of-service (DDoS) attacks.
Kaiji was originally believed to have originated in China but has since spread globally, exploiting vulnerabilities in exposed IoT devices and servers. The malware is unique in that it is written in the Go programming language, a trend that has recently been adopted by cybercriminals looking for efficiency and scalability in their attacks. This shift to Go, or GoLang, contrasts with the more traditional programming languages used in IoT malware, such as C and C++, signaling a potential new direction in malware development.
Targets
Individuals
Information
How they operate
Kaiji’s primary attack vector is SSH brute-forcing, which is employed to gain unauthorized access to IoT devices and servers that have exposed SSH ports. The malware is not sophisticated in the traditional sense; it does not exploit known vulnerabilities in the way that other IoT malware strains do. Instead, Kaiji targets devices with weak or recycled passwords, often using a single password across a vast number of devices. This technique is highly effective when many SSH servers are misconfigured, as it allows Kaiji to try different login credentials repeatedly without needing to breach specific vulnerabilities. Once the malware successfully accesses a device, it can execute its payload, gaining control of the device for further exploitation.
Once Kaiji has infiltrated a system, it performs several key functions. First, the malware attempts to launch distributed denial-of-service (DDoS) attacks at the direction of its operators, using the infected device to flood targeted networks or websites with traffic, effectively rendering them inoperable. Additionally, Kaiji is designed to spread itself further by exploiting any local SSH keys found on compromised systems. The malware can then use these keys to perform additional SSH brute-force attacks on other vulnerable devices, expanding its botnet footprint and creating a self-propagating threat.
One of the most striking technical aspects of Kaiji is its use of the Go programming language. While traditional IoT malware is often written in C or C++, Go provides advantages in terms of portability and performance, making it easier for Kaiji to scale across many devices. The malware is built to be efficient, and its compact design allows it to quickly execute commands and handle large volumes of infected devices. This choice of language also makes it somewhat more challenging for traditional signature-based antivirus solutions to detect the malware, as the Go code structure is less familiar to many existing detection tools.
In its current form, Kaiji remains relatively simple compared to other sophisticated IoT botnets, but it holds significant potential for future growth. As Kaiji’s creators continue to develop and refine the malware, it may incorporate more advanced techniques to evade detection and increase its destructive capabilities. Security researchers note that the growth of Kaiji, driven by its brute-force approach and scalable design, reflects an emerging trend where GoLang is increasingly used for cybercriminal activities. This shift suggests that the future of IoT malware may be marked by a new generation of highly efficient and adaptable botnets. As Kaiji evolves, the threat it poses to both individual users and organizations will likely intensify, necessitating improved security practices, such as stronger password policies and better SSH configuration management, to mitigate its impact.
References
