Threat Research

Mirai Botnet’s New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught – NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

Securonix

NSFOCUS documents three new Mirai-based botnets—hailBot, kiraiBot, and catDDoS—highlighting their spread, distinct capabilities, and techniques to evade detection. The report details propagation methods (vulnerability exploits and weak passwords), persistence tricks, encryption for data, and covert C2/communication tactics used by these IoT-focused threats. #hailBot #kiraiBot

Keypoints

  • Three new Mirai-based botnet families are active: hailBot, kiraiBot, and catDDoS, with rapid spread and wide deployment.
  • hailBot spreads via a vulnerability (CVE-2017-17215) and weak password brute force, signaling multi-vector propagation.
  • hailBot used bait documents (e.g., INVOICE.xlsx) to lure victims and deliver Lokibot and Formbook, indicating espionage-focused malware activity.
  • kiraiBot adds persistence by placing a self-start script in /etc/init.d, and uses multiple DDoS modes with broad scan activity and the string “kirai” in traffic.
  • catDDoS encrypts key information with ChaCha20, uses multi-round go-live data packets, and targets show a China-heavy distribution with common DoS methods like ack_flood and grip_flood.
  • The report emphasizes stealth in stealthy communications (OpenNIC/ClouDNS) and domain-based evasion, reflecting a trend toward covert C2 channels in Mirai-derived threats.
  • Overall, these variants demonstrate continued evolution of Mirai/Gafgyt-based botnets with stronger anti-analysis and evasion techniques.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – hailBot propagates by exploiting a vulnerability (CVE-2017-17215) to spread. ‘The hailBot spreads through vulnerability exploitation and weak password scanning & brute force.’
  • [T1110] Brute Force – hailBot propagates by weak password scanning and brute force to breach exposed services. ‘The hailBot spreads through vulnerability exploitation and weak password scanning & brute force.’
  • [T1547] Boot or Logon Autostart Execution – kiraiBot persists by setting a self-starting script under /etc/init.d/init.d/. ‘The kiraiBot implements persistence by setting the self-starting script under/etc/init.d/init.d/. ‘
  • [T1027] Obfuscated/Encrypted Files and Information – catDDoS encrypts and stores key information using ChaCha20. ‘This variant has adjusted the go-live process of the original Mirai, and the go-live data is sent to the server in multiple rounds.’
  • [T1071.001] Web Protocols – catDDoS/C2 communications leverage domain tricks to evade detection (binding malicious IPs to benign domains via ClouDNS or OpenNIC domains). ‘The go-live data packets sent to the server end are composed of plaintext and ciphertext encrypted by the ChaCha20 algorithm.’

Indicators of Compromise

  • [Hash] – 3f30a468b56c5761e346f3e709fd098e, 33ea03c6fdb4bcd826f99ca7ae8b5907, and 12fe77575c11b698501e2068810823a4
  • [IP Address] – 34.147.16.24, 34.165.70.211, 34.176.112.249
  • [IP Address] – 5.181.80.115, 5.181.80.120, 5.181.80.70, 5.181.80.71
  • [Hash] – 33ea03c6fdb4bcd826f99ca7ae8b5907 (kiraiBot)
  • [IP Address] – 179.43.155.231
  • [Hash] – 12fe77575c11b698501e2068810823a4 (catDDoS)
  • [IP Address] – 139.177.197.168, 212.118.43.167, 77.105.138.202, 84.54.47.93, 88.218.62.22, 88.218.62.221
  • [CVE] – CVE-2017-17215, CVE-2017-11882
  • [File Name] – INVOICE.xlsx, Product_requetslist.xlsx, CIF WMS REF NO 451RFQ ARN-DT-2021-06-29.xlsx

Read more: https://nsfocusglobal.com/mirai-botnets-new-wave-hailbot-kiraibot-catddos-and-their-fierce-onslaught/?web_view=true

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint