The Kaiten bot was distributed in some Linux Mint ISO downloads. Here are the IOCs.
According to reports from the Linux Mint Blog, hackers created a backdoored version of the Linux Mint distribution's ISO files and then compromised the Linux Mint website to change the download links to point the hacked versions hosted in Bulgaria.
The "Mint Team," maintainers of the distro and operators of the hacked web site, say that the links were only active on February 20th, 2016. These were listed under download "mirror" sites; direct HTTP downloads from Mint Team servers and torrents were not affected. Only backdoored versions of the "Cinnamon" edition were identified, not the "MATE" or "Xfce" editions, which use different default desktop environments.
The Mint Team has reposted hash sums for valid ISO images; however, Linux Mint forum users reported invalid hashes for downloads from at least two other mirrors, the University of Canterbury and Xnet. PhishLabs R.A.I.D. has confirmed that the reported MD5 hash value of these downloads (7d590864618866c225ede058f1ba61f0) matches an ISO that does contain the backdoor.
The window of exposure may be longer than just the day of February 20, 2016. The file that indicates a backdoored system is timestamped on February 19, and the files from the other mirrors may have been active as late as the early morning on February 21. Simply looking for indicators based on the February 20 date may not be enough to identify all incidents.
The backdoored disk images, which can be used to run a "live" version of Linux Mint version 17.3 from a removable disk or to install the operating system to a hard disk, contain a copy of the Kaiten bot. Kaiten is one of the two most widely distributed DDoS bots compiled for the Linux platform. It is written in the C programming language and compiled into an ELF format executable program. Various versions of its source code can be easily located on the Internet.
Upon start, Kaiten attempts to connect to one or more IRC (Internet Relay Chat) servers and registers itself with a particular "channel" or chat room to which it will listen for commands. In addition to TCP SYN floods and spoofed and non-spoofed YDP floods, the Kaiten bot provides backdoor download and execute functionality through the GET and SH commands, respectively. In this case, the bot executes commands with root/superuser (UID 0) privileges.
Kaiten is also known as Tsunami, ktx, and STD. Recent versions are most commonly associated with a DDoS threat actor handles "Loonies Squad" and "Shitty Squad". In recent attacks, versions of the perl-based DDoS tool and backdoor "SERVIDOR", a.k.a. "w0rmb0t", were discovered installed alongside copies of Kaiten.
In a related item, the Mint Team confirms that the user database for the official Linux Mint forums web site was leaked online on February 21, 2016. Usernames, email addresses, encrypted forum passwords, and any personal information entered into forum user profiles or posts by forum users has been compromised. Linux Mint forum users are advices to change their passwords.
A threat actor on a popular Dark Web cybercriminal marketplace has claimed credit for the attack. Timelines and details regarding the leaked user database support this actor's claims.
Indicators of Compromise
A backdoored ISO file was known to have been hosted at this IP address:
This IP address is allocated to Verdina.net, a hosting provider, and geolocated to a data center in Sofia, Bulgaria.
The following identifies the backdoored ISO file hosted at the IP address above:
Machines running a backdoored version of the ISO image from a removable disk in "LiveCD" mode will have the following file, which is not part of the official distribution:
The version of Kaiten distributed in the backdoored ISO image file is configured to attempt connections to IRC on port 6667/tcp on the following servers:
Upon connection, the bot joins the C2 IRC channel "#mint" using the password "bleh" and awaits commands.
PhishLabs R.A.I.D. has confirmed that the open source snort rules published by Emerging Threats for Kaiten reliably detect IRC traffic to/from the version of Kaiten distributed with the backdoored ISO image files in this case.