New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers

Security researchers have spotted a new strain of IoT malware that has been growing in sophistication and silently infecting more and more devices online.
Written by Catalin Cimpanu, Contributor

After silently growing in the shadows for months, a new IoT botnet is now making its presence felt online, popping up on more and more security researchers' radars in the past two weeks.

Tracked by the infosec community as Hakai (the Japanese word for "destruction"), this botnet was first spotted in June by security researchers from NewSky Security.

That initial version of Hakai was based on Qbot (also known as Gafgyt, Bashlite, Lizkebab, Torlus or LizardStresser), an IoT malware strain that leaked online several years back. This first version of the botnet was unsophisticated and rarely active, Ankit Anubhav, a security researcher for NewSky Security, told ZDNet today.

Anubhav said the botnet author was initially looking for publicity and attention. "He asked me to cover it," said Anubhav. "He even put my photo in the command and control server's homepage at hakaiboatnet[.]pw."

Ankit Anubhav

But Hakai didn't remain in this innocent state for long. The botnet started actively hijacking user devices on a consistent basis about a month later. "The first ever Hakai exploit attack was seen on July 21," Anubhav told ZDNet. That exploit leveraged CVE-2017-17215, a vulnerability affecting Huawei HG352 routers, the researcher told us.

Since then, Hakai activity has been steadily going up. By mid-August, other researchers were also beginning to take notice of this new fledgling botnet, and were seeing Hakai grow to target more devices and vulnerabilities.

Also see: What is the IoT? Everything you need to know about the Internet of Things right now |

Security researcher Jouini Ahmed noted that Hakai had expanded its initial Huawei exploit to also include exploits that targeted D-Link routers supporting the HNAP protocol, but also Realtek routers and IoT devices that were using an older and vulnerable version of the Realtek SDK. Anubhav also told ZDNet that as Hakai matured, it also broadened its capabilities with two more D-Link router exploits [1, 2].

But on top of all the exploits, the botnet also included a highly efficient Telnet scanner. For these scans, the exploits aren't needed, and the Hakai malware takes over devices belonging to users who did not change default passwords or were using simple passwords in the form of root, admin, 1234, and others.

By early and mid-August, as Hakai gained more steam with new exploits and infected devices, Tempest Security was reporting that Hakai had grown tremendously and was showing "signs of intense activity in Latin America."

Furthermore, the Hakai codebase also seems to have made it into the hands of other people. Earlier today, Anubhav confirmed a report from last week by Intezer Labs that two different Hakai-based variants --named Kenjiro and Izuku-- were also spreading online.

But while the Hakai botnet is now growing into a looming and impending threat, the author's braggadocio attitude has disappeared entirely, cutting off contact with security researchers and moving command and control servers.

This sudden change in the behavior of Hakai author is related to the recent arrest of Nexus Zeta, the operator of another IoT botnet named Satori.

Just like the Hakai author, Nexus Zeta bragged online about his botnet's capabilities and constantly sought media coverage from researchers and infosec journalists, including from this reporter. His foolish approach left a trail of breadcrumbs that authorities had no difficulty in tracking to discover his real-world identity, an error the Hakai author doesn't seem intent on following.

Editorial standards