Kaiten

Malware updated a month ago (2024-11-29T13:55:36.187Z)

Download STIX

Preview STIX

Kaiten, also known as Tsunami, is a malware variant that operates as a Distributed Denial of Service (DDoS) bot and an IRC bot. It targets vulnerable Internet of Things (IoT) devices and poorly protected Linux SSH servers, often being distributed alongside other DDoS bots like Mirai and Gafgyt. The Tsunami variant employed in recent hacking campaigns, as reported by AhnLab Security Emergency Response Center (ASEC), is a Kaiten variant known as Ziggy. To maintain persistence and avoid detection, this bot writes itself on the "/etc/rc.local" file and changes the name of the currently running process to "[kworker/0:0]". The backdoor of this malware runs a secondary payload embedded in the shell script vars.sh, which is a slightly modified version of ZiggyStarTux, an open-source IRC bot based on the Kaiten malware. If the target file does not exist, the script downloads and executes the malicious binary from its file server, saving it to the directory /usr/sbin/. This downloaded binary could potentially be ZiggyStarTux. The backdoor also runs a modified version of a Kaiten malware-based DDoS client called ZiggyStarTux that executes bash commands received from the attacker's Command and Control (C2) server. In addition to facilitating DDoS attacks, Kaiten has been implicated in stealthy cryptocurrency mining operations. Poorly managed Linux servers are being breached to deliver DDoS bots such as ShellBot and Tsunami (aka Kaiten) and to covertly exploit resources for cryptocurrency mining. Other malware strains designed for similar environments include the Hildegard trojan, Siloscape backdoor, Kaiten botnet, and XMRig Monero miner. The ongoing attack campaign involves the installation of the Tsunami (another name for Kaiten) DDoS bot on inadequately managed Linux SSH servers.

Description last updated: 2024-06-06T09:16:52.628Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Gafgyt is a possible alias for Kaiten. Gafgyt, also known as Bashlite, is a type of malware that targets Linux architecture operating systems with the primary intent to launch distributed denial of service (DDoS) attacks. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, and upon entry,	2
Ziggystartux is a possible alias for Kaiten. ZiggyStarTux is a malicious software (malware) that has been identified as part of the arsenal of TeamTNT, a cybercriminal group. The malware, an open-source IRC bot based on the Kaiten malware, was first detailed by Lacework earlier this year. It operates as a backdoor, running a secondary payload	2
Ziggy is a possible alias for Kaiten. Ziggy is a malicious software (malware) known for its damaging and exploitative capabilities. This malware, along with xmrig, can be downloaded and executed via specific scripts. It is associated with various hosted files including TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Bot

Linux

Botnet

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Kaiten Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	6 days ago	Engineering Workstations Fresh Malware Barrage
Trend Micro	7 months ago	Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers
CERT-EU	2 years ago	DDoS Malware Distributed Through Compromised Linux SSH Servers
CERT-EU	2 years ago	Cybersecurity threatscape: year 2021 in review
Securityaffairs	2 years ago	New Tsunami botnet targets Linux SSH servers
CERT-EU	2 years ago	New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
CERT-EU	2 years ago	Patched OpenSSH Exploited for IoT, Linux Cryptomining
CERT-EU	2 years ago	Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency
BankInfoSecurity	2 years ago	Hackers Targeting Linux and IoT Devices for Crytomining
CERT-EU	2 years ago	New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices
CERT-EU	2 years ago	IoT devices and Linux-based systems targeted by OpenSSH trojan campaign \| Microsoft Security Blog
CERT-EU	2 years ago	Hackers Attack Linux SSH Servers with Tsunami DDoS Malware