ELF64_KAITEN.AA

This malware is involved in the February 2016 compromise of an open-source Linux OS distribution website. It may find its way into users' systems by being embedded in a downloaded Linux Mint ISO file. Users affected by this malware may find the security of their system compromised.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor joins any of the following IRC channel(s):

• #{BLOCKED}t

It executes the following commands from a remote malicious user:

• execute shell command
• send arbitrary irc command to server
• send help instructions
• terminates current process
• send "Kaiten wa goraku" via NOTICE command
• download arbitrary file from arbitrary url
• enables packeting
• disables packeting
• change spoofing
• get current spoofing
• set server
• set nickname
• send non-spoof udp flood on arbitrary site
• send udp flood on arbitrary site
• send syn flood on arbitrary site
• send push - ack flood on arbitrary site

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}s.{BLOCKED}vodka.com
• {BLOCKED}.{BLOCKED}nux.com
• {BLOCKED}awdinarry.{BLOCKED}lerepo.com
• {BLOCKED}int.{BLOCKED}-org.org