Security experts reported that a brand new malware is targeting embedded systems in order to compromise and make them part of a botnet.
The newly-found threat is called “Remaiten” (Linux/ Remaiten) and it combines the capabilities of previously spotted Tsunami (also known as Kaiten) and Gafgyt malware, alongside a bunch of improvements and additional features. Until now, the researchers have noted three versions of Remaiten, and the creators of malware call it “KTN-Remastered” or “KTN-RM.”
A capability which Remaiten has borrowed from Gafgyt is the so called “telnet scanning”, though Remaiten received much more improvements when compared to Gafgyt. Neverheless, both of them rely on improperly secured devices to successfully infect them.
Gafgyt tries to connect to random routers via port 23, which after that issues a shell command to download bot executables for multiple architectures and tries to run them. While Remaiten, carries downloaders for CPU architectures commonly used in embedded Linux devices, and then tries to trigger the device’s platform to drop only the appropriate downloader.
Once executed, the bot runs in the background and changes its process name to look legitimate, with two versions using “-bash” for that (namely Remaiten 2.0 and 2.1), and the third (version 2.2) using “-sh.” After that, using the create_daemon function, the bot creates a file named “.kpid” in one of the predefined daemon directories and writes its PID to a file.
The bot binaries include a hardcoded list of C&C server IP addresses, and the malware chooses one at random and connects to it on a hardcoded port. After being successfully connected to the C&C server, the bot checks-in on the IRC channel, and the server replies with a welcome message and further instructions.
The IRC supports different type of commands. One of these is “PRIVMSG,” which is used to instruct the bot to perform nefarious operations like flooding, downloading files, and telnet scanning. Most of these capabilities come from the Linux/Tsunami malware, while the rest are borrowed from Linux/Gafgyt.
The bot sends to the C&C server information such as device’s IP address, the successful username and password pair, and whether it infected the other device or not. Besides, the malware supports a “KILLBOTS” command, which lets is enumerate running processes and kill some of them based on a few criteria, mainly because of their names.
According to the malware experts, Remaiten version 2.2 includes a wget/tftp command to download a shell script which downloads the bot binaries, including files that target platforms such as PowerPC and SuperH.
Apparently, hackers are ready for any situation, as they went into the trouble of compiling their malware for the above-mentioned architectures.
