ESET researchers have spotted a new variant of malware, dubbed Remaiten, which combines different features from other families of malware and uses a unique method of distribution.
The Linux bot performs telnet scans, which are user command and an underlying TCP/IP protocol for accessing remote computers, to search for embedded systems including routers, gateways, wireless access points, and potentially internet of thing devices (IoT) that use default or weak credentials, ESET Malware Researcher Marc-Étienne Léveillé told SCMagazine.com.
Once a vulnerable device is found, Remaiten will send a small executable file, dubbed the Remaiten downloader, to the remote device via telnet to fetch the full Remaiten IRC bot malware from the remote command and control server, Léveillé said.
He said there are multiple downloaders inside the bot to accommodate the different architectures of embedded devices and the correct bot will push automatically.
Léveillé said it is unclear why the malware uses this method, but said it is likely to maximize infection success.
The Remaiten is a variant of the Kaiten bot, also known as Tsunami, and combines features of the Gafgyt bot, according to a March 30 ESET blog post.
Once a user's device is infected the bot can be used to launch denial-of-service denial of service attacks or download other variants of malware.
Léveillé said users can protect themselves from the these kind of attacks by using strong credentials and vendors can help prevent these type of infections by not using default credentials in their products and requiring users to have strong credentials.