Kaiten

Malware updated 4 months ago (2024-06-06T09:17:36.196Z)
Download STIX
Preview STIX
Kaiten, also known as Tsunami, is a malware variant that operates as a Distributed Denial of Service (DDoS) bot and an IRC bot. It targets vulnerable Internet of Things (IoT) devices and poorly protected Linux SSH servers, often being distributed alongside other DDoS bots like Mirai and Gafgyt. The Tsunami variant employed in recent hacking campaigns, as reported by AhnLab Security Emergency Response Center (ASEC), is a Kaiten variant known as Ziggy. To maintain persistence and avoid detection, this bot writes itself on the "/etc/rc.local" file and changes the name of the currently running process to "[kworker/0:0]". The backdoor of this malware runs a secondary payload embedded in the shell script vars.sh, which is a slightly modified version of ZiggyStarTux, an open-source IRC bot based on the Kaiten malware. If the target file does not exist, the script downloads and executes the malicious binary from its file server, saving it to the directory /usr/sbin/. This downloaded binary could potentially be ZiggyStarTux. The backdoor also runs a modified version of a Kaiten malware-based DDoS client called ZiggyStarTux that executes bash commands received from the attacker's Command and Control (C2) server. In addition to facilitating DDoS attacks, Kaiten has been implicated in stealthy cryptocurrency mining operations. Poorly managed Linux servers are being breached to deliver DDoS bots such as ShellBot and Tsunami (aka Kaiten) and to covertly exploit resources for cryptocurrency mining. Other malware strains designed for similar environments include the Hildegard trojan, Siloscape backdoor, Kaiten botnet, and XMRig Monero miner. The ongoing attack campaign involves the installation of the Tsunami (another name for Kaiten) DDoS bot on inadequately managed Linux SSH servers.
Description last updated: 2024-06-06T09:16:52.628Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ziggy is a possible alias for Kaiten. Ziggy is a malicious software (malware) known for its damaging and exploitative capabilities. This malware, along with xmrig, can be downloaded and executed via specific scripts. It is associated with various hosted files including TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig
2
Ziggystartux is a possible alias for Kaiten. ZiggyStarTux is a malicious software (malware) that has been identified as part of the arsenal of TeamTNT, a cybercriminal group. The malware, an open-source IRC bot based on the Kaiten malware, was first detailed by Lacework earlier this year. It operates as a backdoor, running a secondary payload
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bot
Linux
Malware
Botnet
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.