Kiraibot

KiraiBot is a recent and active malware, identified as part of the Mirai botnet variant family in September 2023 by NSFOCUS's global threat hunting system. It is one of several new botnet variants developed based on the Mirai source code, alongside hailBot and catDDoS. However, kiraiBot is unique in its design, incorporating personal elements that differentiate it from traditional Mirai class botnets. This significant change in code structure has allowed kiraiBot to accelerate its spread and become widely deployed, thereby posing a considerable threat to digital security. The propagation mode of kiraiBot is primarily through breaching port 23 via weak password scanning. The string "kirai" appears in the scan traffic of the botnet, with the report server set up similarly to Mirai to receive breach results. Furthermore, kiraiBot implements persistence by setting a self-starting script under the /etc/init.d/ directory, ensuring its continued operation even after system reboots. In terms of its functionality, kiraiBot supports various attack methods, as shown in the instructions it issues. It also uses a go-live data packet for communication and has designated storage sites for its propagation scripts. Given its rapid proliferation and the potential damage it can cause, ongoing monitoring and robust countermeasures are necessary to mitigate the threats posed by kiraiBot and similar botnet variants.