PINDROP BLOG

Hajime Malware Joins Mirai in Targeting IoT Devices

Mirai is no longer the only game in town when it comes to IoT malware.

A new piece of malware known as Hajime is infecting some of the same kinds of embedded devices that Mirai has been targeting for several months. The malware has infected thousands of IoT devices in recent weeks and researchers say it has a modular design that could allow the creator to add functionality in the future. Right now, Hajime isn’t being used for DDoS attacks, but it is targeting IoT devices with open Telnet ports and default usernames and passwords.

While Hajime has a number of functions and traits that line up with Mirai, it also includes several unique capabilities. Most notably, after it establishes a foothold on a new device, Hajime closes several ports that Mirai is known to use for initial infections. It also doesn’t have a central command-and-control server, but instead uses a decentralized architecture that allows the malware’s creator to push messages to all of the infected devices from any of the peers in the network.

“Hajime is also stealthier and more advanced in comparison to Mirai. Once on an infected device, it takes multiple steps to conceal its running processes and hide its files on the file system. The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm,” Waylon Grange of Symantec wrote in an analysis of the Hajime malware.

Grange said there are tens of thousands of devices infected by Hajjime right now, and a large portion of them are in Brazil, Iran, and Thailand. Like Mirai, Hajime infects new devices by taking advantage of open Telnet connections that have default credentials. But rather than launching DDoS attacks or taking some other malicious action, Hajime displays a somewhat cryptic message every 10 minutes on infected devices, saying that the author is a white hat trying to secure weak systems.

“However, there is a question around trusting that the author is a true white hat and is only trying to secure these systems, as they are still installing their own backdoor on the system. The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet,” Grange said.

The Mirai botnet has been active for several months and has been involved in a number of enormous DDoS attacks, including one that knocked DNS provider Dyn offline for several hours. The botnet is actually not just one network but several different ones controlled by various attackers. In February, authorities in the U.K. arrested a man in connection with a Mirai attack on Deutsche Telekom home routers.

Image: Eli Christman, CC By license