New Hakai IoT botnet is silently growing, targeting D-Link, Huawei and Realtek routers

  • The Hakai botnet was first discovered in June and is based on the LizardStresser botnet.
  • The botnet has been hijacking IoT devices that still contain the vendor-provided default passwords or have weak passwords.

A new IoT botnet has been discovered that has been silently growing and becoming more sophisticated. The botnet, dubbed Hakai (Japanese for destruction), has been targeting D-Link, Huawei and Realtek routers.

The botnet was first discovered in June by security researchers at NewSky Security and is based on the infamous LizardStresser botnet. Ankit Anubhav, a NewSky Security researcher, told ZDNet that the first version of the Hakai botnet was not all that active and fairly unsophisticated.

Hakai botnet creator wanted publicity

The creator of Hakai was reportedly looking for publicity.

"He asked me to cover it," Anubhav told ZDNet. "He even put my photo in the command and control server's homepage at hakaiboatnet[.]pw."

Despite having been fairly inactive in its infancy, Hakai grew rapidly, with the first Hakai attack was observed in mid July. By mid-August the botnet’s activities garnered the interest of other researchers as well.

According to security researcher Jouini Ahmed, although Hakai initially only targeted Huawei routers, the botnet later expanded its attacks to hijack D-Link and Realtek routers. The botnet targeted IoT devices that still contain the vendor-provided routers or use weak passwords with a telnet scanner, hijacking them without much difficulty.

Hakai targeting Latin America

Security experts at Tempest Security observed Hakai using 119 IP addresses to target Latin America, specifically Brazil.

“The infection method is the same as used by other botnets that have been widely reported by Tempest and other researchers,” Tempest Security researchers said in a blog. “After the infection, the device connects to the attacker’s control panel and receives commands to attack or to attempt to infect other devices. The control panel closely resembles to Gafgyt botnet, which had its source code released years ago and was also identified as LizardStresser — the botnet used by the Lizard Squad group in its DDoS-as-a-service.”

Hakai creator goes dark

ZDNet reported that after the recent arrest of the Satori botnet operator Nexus Zeta, Hakai botnet’s creator appears to have gone dark. The cybercriminal has reportedly moved the botnet’s C2 server and stopped contacting out security researchers. Hakai’s creator appears to have learnt from Nexus Zeta’s mistake of seeking publicity and is now attempting to hide his tracks.