Hailbot

HailBot is a malicious software variant that emerged in September 2023, based on the Mirai source code. This malware was identified and analyzed by cybersecurity firm NSFOCUS and content delivery network Akamai. It is known to propagate through exploitation of vulnerabilities and weak passwords, with its name derived from the string information 'hail china mainland' which is output after running. The go-live data packet of the original Mirai has been modified for hailBot traffic, making it a unique identifier along with the console string "hail china mainland" printed upon successful compromise of a system. Additional malware samples linked to the hailBot Mirai variant were also discovered by researchers. These samples included file names with the string "skid", contrasting with the "jkxl" filename primarily contained in the JenX malware variant. The hailBot controller's command and control (C&C) infrastructure, with IP addresses 5.181.80.120 and 5.181.80.115, had previously disseminated multiple bait documents carrying the CVE-2017-11882 vulnerability, indicating a history of active cyber threats. The hailBot has exhibited significant activity in its historical operations. Its attack commands and server responses have been documented, providing insights into its operational mechanics. For instance, one notable activity includes scanning port 23, a common tactic used by botnets to identify vulnerable devices. With this information, cybersecurity firms are better equipped to develop countermeasures against this threat and similar malware variants.