After the publication of the source code of Mirai Trojan, experts from Rapidity Networks decided to study the malware themselves and watch what other hackers will do with the source code of IoT malware. The experts have launched a series of decoy servers around the world and began to collect the data. Soon researchers realized that they are monitoring not the Mirai malware. October 5, 2016, Hajime malware was discovered – the worm, which at first glance looks much like Mirai, however, after a more detailed study, it was discovered that this threat is much more serious and dangerous.
Mirai in Japanese means “Future” and Hajime – “beginning”.
The experts write that the infection process with Hajime is divided into three stages. In addition, the threat is called a worm, not without a reason: Hajime is able to reproduce on its own. First, the worm attacks port 23 in attempt to get the login and password of the system by using the brute force. The most common combinations of credentials are hard-coded in the code of Hajime. If the port 23 is closed, or the attack fails, the malware leaves attempts and moves to the next IP-address. If the bruteforce was successful, the worm executes the following commands on the device:
Thus, malware determines if it has infected the Linux system. According to the data of Rapidity Networks, malware attacks ARMv5, ARMv7, Intel x86-64, MIPS and Little-endian platforms, it means that the scope of its activities is much wider than that of similar IoT-threats. Afterwards, Hajime goes to the next stage of the attack. It downloads the 484-bytes file ELF-file and executes it, thereby opening a connection to the attacker’s server. Malware receives a file from the server and executes it as well. In the next stage of the attack this file is used to establish the connection with the PSP-network using the DHT protocol. Through P2P, using DHT and uTP, the Trojan downloads other payloads.
The researchers note that Hajime is similar to several other threats simultaneously. Thus, the worm uses P2P network as well as Rex Trojan; it has a list of usernames and passwords combinations for bruteforce random IP-addresses and spreads itself same as Miari; and also uses the mechanism of infection, consisting of several stages, like NyaDrop. Thus Hajime is written in C, rather than Go, as Rex. It uses P2P networks, and doesn’t work directly with management servers like Mirai. In addition, the malware is dangerous for a number of different platforms, while NyaDrop attacks only devices with MIPS architecture.
Judging by the hard-coded credentials in the code of Hajime, worm attacks CCTV cameras, routers and DVR-systems. More specifically, malware is a threat for Dahua Technologies Companies devices and ZTE Corporation, and also for a number of equipment of other companies that produce products (mainly DVR-systems), as a result of white-label partnership with XiongMai Technologies.
In order to protect your IoT-devices, it is recommended to avoid visiting suspicious websites from them or downloading any unofficial apps. Also, if it is possible, block the port number 23. Use the last version of antivirus software and update virus data base signature as frequent as possible.